Cybersecurity researchers have discovered several security vulnerabilities in photovoltaic system management platforms operated by Chinese companies Solarman and Deye, which could be exploited by malicious actors to cause disruptions and power outages.
“If these vulnerabilities are exploited, an attacker could manipulate inverter settings, potentially taking down parts of the grid and leading to blackouts,” Bitdefender researchers stated in a report published last week.
The vulnerabilities were patched by Solarman and Deye as of July 2024, following a responsible disclosure made on May 22, 2024.
The Romanian cybersecurity firm, which conducted the analysis of the two PV monitoring and management platforms, identified a range of issues that could lead to account takeovers and information leaks, among other risks.
Cybersecurity
Key issues identified include:
- Â Full Account Takeover via Authorization Token Manipulation using the /oauth2-s/oauth/token API endpoint
- Â Deye Cloud Token Reuse
- Â Information Leak through the /group-s/acc/orgs API Endpoint
- Â Hard-coded Account with Unrestricted Device Access (account: “SmartConfigurator@solarmanpv.com” / password: 123456)
- Â Information Leak through the /user-s/acc/orgs API Endpoint
- Â Potential Unauthorized Authorization Token Generation
Exploiting these vulnerabilities could enable attackers to take control of any Solarman account, reuse JSON Web Tokens (JWTs) from Deye Cloud to gain unauthorized access to Solarman accounts, and access private information about all registered organizations.
Cybersecurity
Attackers could also gather details about any Deye device, access confidential user data, and even generate authentication tokens for any user on the platform, severely compromising its confidentiality and integrity.
“By taking over accounts and controlling solar inverters, attackers could disrupt power generation, leading to voltage fluctuations,” the researchers warned.
“Sensitive user and organizational information could be exposed, resulting in privacy breaches, information theft, targeted phishing attacks, or other malicious activities. By altering settings on solar inverters, attackers could cause widespread disruptions in power distribution, destabilizing the grid and potentially causing blackouts.”
