Major Security Vulnerabilities in Global Solar Power Management Platforms

Bitdefender discovered significant vulnerabilities in solar power management platforms operated by Solarman and Deye, potentially allowing cyber attackers to hijack a solar grid responsible for 195 gigawatts of power, equivalent to the total energy consumption of the United States.

Discovery and reporting

Bitdefender’s research focused on the potential cyber threats to inverters, particularly those connected to the Solarman platform, which manages over 195 gigawatts of power across more than two million PV plants. The researchers conducted extensive testing and analysis to uncover the vulnerabilities and validate their findings.

The research team published their findings earlier today, revealing serious security flaws that could disrupt solar power generation on a massive scale. These vulnerabilities were responsibly disclosed to the affected vendors, who have since addressed and patched the issues.

However, the supply chain is complex and the issues continue to impact several Solarman partners in the United States and Canada.

Vulnerabilities uncovered

The researchers identified several critical weaknesses summarized as follows:

• Full account takeover: Attackers could exploit the Solarman platform’s /oauth2-s/oauth/token API endpoint to generate authorization tokens, allowing them to control any regular or business account.
• Token reuse across platforms: JWT tokens from the Deye Cloud platform were valid on the Solarman platform, enabling unauthorized access.
• Excessive data exposure: Solarman’s API endpoints exposed sensitive information about organizations and users, including email addresses, phone numbers, and GPS coordinates of solar installations.
• Hard-coded credentials: Deye’s platform used hard-coded credentials to access device data, which could be exploited to gain access to any device.
• Information leakage: API endpoints on Deye’s platform returned excessive private information about users, including names, email addresses, phone numbers, and user IDs.

These vulnerabilities, if exploited, could allow attackers to control inverter settings, disrupt power generation, and potentially cause widespread blackouts.

Implications for grid security

Solar power is a vital component of the global energy landscape, reducing dependence on fossil fuels and lowering greenhouse gas emissions. However, integrating decentralized solar systems into the grid presents challenges, including managing variability in power generation and maintaining grid stability.

Solar inverters, which convert DC electricity from solar panels into AC electricity for grid use, are critical in managing these challenges. Inverters ensure grid synchronization and maintain voltage levels. The vulnerabilities discovered in the Solarman and Deye platforms highlight the importance of securing these critical components.

These vulnerabilities pose significant risks to grid security. Unauthorized control of inverters could lead to power disruptions and voltage fluctuations, compromising grid stability and potentially causing blackouts. Data breaches resulting in privacy violations are also possible through the identified flaws.

The timely response from Solarman and Deye in fixing these vulnerabilities is crucial to mitigating these risks, but impacted partners need to implement those fixes on the upcoming maintenance intervals too, or they will remain vulnerable to disruptive attacks.