Cybersecurity researchers have disclosed 46 new security flaws in the products of three solar inverter vendors, devices, Glowatt and SMA, which could allow bad actors to seize control of devices, execute code remotely, and pose severe risks to electrical grids.
The vulnerability is collectively referred to as the codename Sun due to the Vederella Lab’s mistake.
“New vulnerabilities will be exploited to run any command on the device or vendor’s cloud, take over accounts, gain scaffolding for the vendor’s infrastructure, and control the devices of the inverter owner,” the company said in a report shared with Hacker News.
Some of the notable defects identified are listed below –
An attacker can upload .aspx files run by SMA’s web server (sunnyportal)[.]com), attackers who are not permitted to achieve remote code execution can perform username enumeration via exposed “server.growatt.com/usercenter.do”. Get the smart meter serial number using a valid username via the “server-api.growatt.com/newplantapi.do” endpoint. Disclosure and Physical Damage Android applications associated with SunGrow use unstable AES keys to encrypt client data, opening the door to a scenario where attackers can intercept and decrypt communications between mobile apps and IsolarCloud. Passwords that can be used to decrypt multiple vulnerabilities in sunburn, all firmware updates when processing MQTT messages that can lead to remote code execution or denial of service (DOS) conditions
“Attackers who have used newly discovered vulnerabilities to gain control of large fleets of large Sangrow, Grotto and SMA inverters can control enough power to cause instability in these and other major grids,” Forescout said.
In a hypothetical attack scenario targeting Growatt Inverters, threat actors can hijack the account by guessing the username of the actual account through the published API, resetting the password to the default “123456” and carry out subsequent exploitation.
Worse, you can control a fleet of hijacked inverters as a botnet to amplify the attack, causing damage to the grid, leading to grid disruption and potential blackouts. All vendors have since addressed the identified issues after responsible disclosure.
“Attackers have control over the entire fleet of devices that affect energy production, so they can change settings to send more or less energy to the grid at certain times,” adding the risk of exposing newly discovered flaws to cyberphysical ransomware attacks.
Daniel Dos Santos, head of research at Forescout Vedere Labs, said that to mitigate risk, strict security requirements must be enforced when procuring solar equipment, conducting regular risk assessments, and ensuring full network visibility into these devices.
This disclosure is due to the discovery of serious security flaws in production line surveillance cameras, made by Japanese company Inaba Denki Sangyo, which has been misused for remote surveillance and can prevent records of production outages.
The vulnerability remains below, but vendors will encourage customers to restrict internet access and restrict them, ensuring that such devices are installed in secure, restricted areas that are only accessible to certified personnel.
“These flaws allow a variety of attacks, allowing unauthorized attackers to access live footage remotely and secretly for surveillance, disrupting records of production line outages and preventing them from acquiring critical moments.”
In recent months, operational technology (OT) security companies have detailed several security flaws in the GE Vernova N60 network relay, Zettler 130.8005 Industrial Gateway, and the Wago 750-8216/025-001 programmable logic controller (PLC) that attackers can control.
Source link
