Cybersecurity researchers have disclosed 46 new safety flaws in merchandise from three photo voltaic inverter distributors, Sungrow, Growatt, and SMA, that may very well be exploited by a foul actor to grab management of gadgets or execute code remotely, posing extreme dangers to electrical grids.
The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs.
“The brand new vulnerabilities may be exploited to execute arbitrary instructions on gadgets or the seller’s cloud, take over accounts, acquire a foothold within the vendor’s infrastructure, or take management of inverter homeowners’ gadgets,” the corporate stated in a report shared with The Hacker Information.
Among the notable flaws recognized are listed under –
- Attackers can add .aspx recordsdata that can be executed by the online server of SMA (sunnyportal[.]com), leading to distant code execution
- Unauthenticated attackers can carry out username enumeration by way of the uncovered “server.growatt.com/userCenter.do” endpoint
- Unauthenticated attackers can receive the record of crops belonging to different customers in addition to arbitrary gadgets by way of the “server-api.growatt.com/newTwoEicAPI.do” endpoint, leading to gadget takeover
- Unauthenticated attackers can receive the serial variety of a wise meter utilizing a legitimate username by way of the “server-api.growatt.com/newPlantAPI.do” endpoint, leading to account takeover
- Unauthenticated attackers can receive details about EV chargers, vitality consumption data, and different delicate knowledge by way of the “evcharge.growatt.com/ocpp” endpoint, in addition to remotely configure EV chargers and acquire data associated to firmware, leading to data disclosure and bodily injury
- The Android utility related to Sungrow makes use of an insecure AES key to encrypt consumer knowledge, opening the door to a situation the place an attacker can intercept and decrypt communications between the cellular app and iSolarCloud
- The Android utility related to Sungrow explicitly ignores certificates errors and is susceptible to adversary-in-the-middle (AitM) assaults
- Sungrow’s WiNet WebUI incorporates a hard-coded password that can be utilized to decrypt all firmware updates
- A number of vulnerabilities in Sungrow when dealing with MQTT messages that might lead to distant code execution or a denial-of-service (DoS) situation
“An attacker that gained management of a big fleet of Sungrow, Growatt, and SMA inverters utilizing the newly found vulnerabilities might management sufficient energy to trigger instability to those energy grids and different main ones,” Forescout stated.
In a hypothetical assault situation concentrating on Growatt inverters, a risk actor might guess the actual account usernames by an uncovered API, hijack the accounts by resetting their passwords to the default “123456,” and carry out follow-on exploitation.
To make issues worse, the hijacked fleet of inverters might then be managed as a botnet to amplify the assault and inflict injury on the grid, resulting in grid disruption and potential blackouts. All of the distributors have since addressed the recognized points following accountable disclosure.
“As attackers can management whole fleets of gadgets with an affect on vitality manufacturing, they will alter their settings to ship roughly vitality to the grid at sure occasions,” Forescout stated, including the newly found flaws threat exposing the grid to cyber-physical ransomware assaults.
Daniel dos Santos, Head of Analysis at Forescout Vedere Labs, stated mitigating the dangers requires implementing strict safety necessities when procuring photo voltaic gear, conducting common threat assessments, and guaranteeing full community visibility into these gadgets.
The disclosure comes as severe safety flaws have been found in manufacturing line monitoring cameras made by Japanese firm Inaba Denki Sangyo that may very well be exploited for distant surveillance and forestall recording manufacturing stoppages.
The vulnerabilities stay unpatched, however the vendor has urged prospects to limit web entry and restrict be certain that such gadgets are put in in a safe, restricted space that is accessible solely to licensed personnel.
“These flaws allow numerous assaults, permitting an unauthenticated attacker to remotely and secretly entry reside footage for surveillance, or disrupt the recording of manufacturing line stoppages stopping the seize of essential moments,” Nozomi Networks stated.
In current months, the operational know-how (OT) safety firm has additionally detailed a number of safety defects within the GE Vernova N60 Community Relay, Zettler 130.8005 industrial gateway, and Wago 750-8216/025-001 programmable logic controller (PLC) that may very well be weaponized by an attacker to take full management of the gadgets.