Researchers at Bitdefender recently uncovered vulnerabilities in the cloud APIs of two major technologies used in solar power installations, Solarman and Deye Cloud. These vulnerabilities, if exploited, could potentially allow an attacker to disrupt parts of a connected power grid. Both platforms have since addressed the issues identified by Bitdefender.
Inverters play a crucial role in solar power systems by converting direct current (DC) electricity into alternating current (AC), which is the standard form used in homes and the electrical grid. These devices also monitor and report on the performance of the solar system. In grid-tied solar power systems, the inverter ensures that the solar-generated energy is compatible with the grid by synchronizing the phase and frequency of the AC output. Any discrepancies in phase and voltage can destabilize the grid, posing a threat to national security.
Solarman’s platform enables users to monitor their solar power systems in real-time, providing valuable insights into system performance. The platform serves millions of photovoltaic installations worldwide, generating a significant portion of global solar electric production. However, vulnerabilities in the cloud APIs of Solarman and Deye Cloud raised concerns about the security of these systems.
Bitdefender found that the Solarman platform’s API endpoints had vulnerabilities that could allow an unauthorized third party to manipulate inverter settings and data loggers. Attackers could generate authorization tokens for any account on the platform, granting them access to sensitive information and control over the devices. Similarly, Deye Cloud’s platform was found to have hardcoded credentials and exposed private information through its API endpoints.
The implications of these vulnerabilities are significant. Attackers could potentially disrupt the normal functioning of the grid by forcing excessive power into the network, leading to service disruptions or partial loss of power in affected areas. The widespread deployment of solar production facilities connected to these platforms makes isolating misbehaving devices challenging, further increasing the risk posed by these vulnerabilities.
The recent shift by Deye Inverter Technology to manage its customers through its own platform indicates a response to the security concerns raised by Bitdefender. However, the use of hardcoded credentials and faulty tokens in their platform raises similar security risks. Unauthorized access to inverter settings and sensitive information could have serious consequences, including financial impact and grid instability.
Addressing these vulnerabilities is crucial to safeguarding the integrity and security of solar power installations. Manufacturers and service providers must prioritize security measures in their cloud APIs to prevent unauthorized access and manipulation of solar power systems. As the world continues to transition towards renewable energy sources, ensuring the resilience of solar power infrastructure is paramount in maintaining a reliable and sustainable energy grid.