Solar Power Installations Worldwide Open to Cloud API Bugs

A recent analysis of two widely used technologies in residential and commercial solar power installations revealed multiple vulnerabilities in their cloud APIs, which, if exploited, would potentially have allowed an attacker to take down parts of any connected power grid.

Researchers at Bitdefender discovered the issues on Solarman, one of the world's largest platforms for managing solar power systems, and on Deye Cloud for managing inverters from China's Ningbo Deye Inverter Technology. Both have since addressed the issues that Bitdefender reported to them.

An inverter is a device that coverts the direct current (DC) electricity produced by solar panels into alternating current (AC) electricity, the standard form used in homes and the electrical grid. They can also monitor and report on the solar system's performance.

"In grid-tied solar power systems, the inverter synchronizes the phase and frequency of the AC output with the grid," Bitdefender said in a report. The goal is to ensure that solar-generated energy is compatible with the grid and can be safely exported to it. Because differences in phase and voltage can crash the grid, "power distributors and governments see any deliberate attempts to bypass these grid safety measures as a threat to national security," Bitdefender noted.

Solarman's platform allows residential and commercial users of Deye and other inverter brands to remotely monitor the devices in real-time. Multiple vendors of other photovoltaic (PV) equipment also use the Solarman platform to connect users with their respective products, over the cloud. Among other things, Solarman offers a data logger that gathers metrics such as the total power output from a solar installation, as well as its voltage and current.

"This management feature improves system performance, enhances reliability, and supports informed decision-making," Bitdefender noted. Some 2.5 million photovoltaic installations are currently connected to the Solarman platform, from more than 190 countries. Together they produce over 195 gigawatts of power in total — or roughly 20% of total solar electric production globally.

Faulty Cloud APIs

"The issue we discovered lies in the cloud APIs that connect the hardware with the user," both on Solarman's platform and on Deye Cloud, says Bogdan Botezatu, director of threat Research and reporting at Bitdefender. "These APIs have vulnerable endpoints that allow an unauthorized third party to change settings or otherwise control the inverters and data loggers via the vulnerable Solarman and Deye platforms," he says.

Bitdefender, for instance, found that the Solarman platform's /oauth2-s/oauth/token API endpoint would let an attacker generate authorization tokens for any regular or business accounts on the platform. "This means that a malicious user could iterate through all accounts, take over any of them and modify inverter parameters or change how the inverter interacts with the grid," Bitdefender said in its report. The security vendor also found Solarman's API endpoints to be exposing an excessive amount of information — including personally identifiable information — about organizations and individuals on the platform. The extensive data exposure via these API endpoints would have allowed attackers to obtain the GPS coordinates from solar installations and their real-time production capability, Bitdefender said.

"A worst-case scenario would be to force too much power into the network to destabilize the grid's normal working parameters," Botezatu notes. "This, in turn, can cascade into potential disruptions of service or partial loss of power on the affected grid segments."

Given that solar production facilities connected to the Solarman cloud are spread across the world, isolating the misbehaving devices would not have been a feasible mitigation, he says.

Multiple Avenues to Attack

Meanwhile. up to at least the beginning of this year, China-based Ningbo Deye Inverter Technology Co. used Solarman's platform to connect customers with its inverter products. But more recently, they appear to have begun using their own datacenter and platform for managing their customers, Bitdefender said. The security vendor's analysis of Deye's platform showed it to use a hardcoded account and a basic password (123456) to access devices. "This account can obtain an authorization token that grants access to any device, exposing sensitive information such as software versions, Wi-Fi credentials, and more," Bitdefender said. As with the Solarman platform, API endpoints on Deye Cloud too returned excessive private information. Bitdefender's analysis showed the platform's OAuth token API endpoint generating a valid, signed but faulty token.

"The result of a successful attack [via such weaknesses] would be either collection of troves of personally identifiable information or tampering with the inverter settings," Botezatu says. "Beyond misconfiguring the grid injection parameters, an attacker could instruct some inverter setups to draw power from the grid to charge batteries during peak demand times, thus causing financial impact as well."