Cybersecurity researchers have identified 46 critical security vulnerabilities in solar inverters manufactured by Sungrow, Growatt, and SMA. These flaws, collectively referred to as SUN:DOWN, could allow malicious actors to gain control over these devices or execute code remotely, posing significant threats to electrical grids.
Forescout Vedere Labs, the team behind this discovery, highlighted the potential consequences of these vulnerabilities. Exploitation could lead to unauthorized command execution on devices or the vendors’ cloud platforms, account takeovers, infiltration of vendor infrastructures, and control over inverter owners’ devices.
Key Vulnerabilities Identified:
– SMA Inverters: Attackers can upload .aspx files to the web server of SMA’s Sunny Portal, leading to remote code execution.
– Growatt Inverters: Unauthenticated attackers can perform username enumeration via the server.growatt.com/userCenter.do endpoint. They can also access lists of plants and devices belonging to other users through the server-api.growatt.com/newTwoEicAPI.do endpoint, potentially resulting in device takeovers. Additionally, attackers can obtain smart meter serial numbers using valid usernames via the server-api.growatt.com/newPlantAPI.do endpoint, leading to account takeovers. Sensitive data related to EV chargers and energy consumption can be accessed through the evcharge.growatt.com/ocpp endpoint, allowing remote configuration of EV chargers and potential physical damage.
– Sungrow Inverters: The associated Android application uses an insecure AES key for encrypting client data, making it susceptible to interception and decryption of communications between the mobile app and iSolarCloud. The app also ignores certificate errors, rendering it vulnerable to adversary-in-the-middle attacks. Sungrow’s WiNet WebUI contains a hard-coded password that can decrypt all firmware updates. Multiple vulnerabilities in handling MQTT messages could lead to remote code execution or denial-of-service conditions.
Forescout emphasized the potential impact of these vulnerabilities. An attacker controlling a large number of these inverters could manipulate power outputs to destabilize power grids, leading to disruptions and potential blackouts.
In a hypothetical attack scenario targeting Growatt inverters, a threat actor could exploit exposed APIs to guess real account usernames, reset their passwords to a default value, and gain control over the accounts. The compromised inverters could then be orchestrated as a botnet to amplify the attack, causing significant damage to the grid.
All identified vulnerabilities have been addressed by the respective vendors following responsible disclosure. Forescout advises enforcing strict security requirements for devices connected to critical infrastructure to mitigate such risks.
