Cybersecurity firm Bitdefender reveals critical vulnerabilities in solar power management platforms, putting 20% of global solar production at risk. Attackers could cause blackouts and disrupt power distribution. Learn about the vulnerabilities and how to protect your systems.
A new report from cybersecurity firm Bitdefender has revealed major critical security vulnerabilities in two widely used platforms managing solar power systems, potentially impacting 20% of global solar power production.
The research focuses on Solarman, a major photovoltaic (PV) plant management platform, and Deye, a solar grid inverter platform. The platforms are interconnected, and the vulnerabilities, if exploited, could grant attackers control over inverter settings, potentially causing blackouts and disrupting power distribution worldwide.
Why worldwide?
Solarman’s platform manages millions of installations worldwide, overseeing the production of approximately 195 gigawatts of solar power. The platform’s API architecture is vulnerable to various attacks, including full account takeover, token reuse, and excessive data exposure.
On the other hand, Deye’s inverter platform, which connects to Solarman’s infrastructure, exhibits similar vulnerabilities, including hard-coded credentials, information leakage, and authorization token generation flaws.
If exploited, these vulnerabilities could enable attackers to gain control over solar inverters, manipulating settings and potentially causing grid instability. The exploitation can also allow attackers to access sensitive information including extracting user data, and information on organizations and solar installations.
According to Bitdefender’s blog post shared with Hackread.com ahead of publishing on Wednesday 7 August 2024, the company has responsibly disclosed these vulnerabilities to the affected vendors, who have since implemented fixes. However, the researchers urge users and partners to ensure they are running the latest software updates for both Solarman and Deye platforms.
The report highlights the growing importance of cybersecurity in the energy sector, particularly as renewable energy sources like solar power become increasingly integrated into the grid.
“Integrating solar power into the grid offers immense benefits, but it also introduces attack surfaces that equipment makers must take into account.,” concluded Bitdefender. “The security flaws found in the Deye and Solarman platforms highlight the need for robust cybersecurity in managing solar energy systems, as well as in general IoT setups.”
The research will be presented at Defcon 32, a prominent cybersecurity conference, on August 9, 2024.