Hacker was able to sabotage tens of thousands of solar panels by lying around with password

Dutch hacker Jelle Ursem discovered the password in April 2021. By then, the login information had been publicly available online for more than a year and a half. Anyone who knew where to find them could access the admin panel of the Chinese brand SolarMAN.

Inverters are needed to convert generated electricity into usable electricity. Without these devices, solar panels are useless.

‘Very unprofessional’

“A password that was available to everyone. We’re not that stupid, are we?” says Aiko Pras, professor of internet security at the University of Twente. “So it happens anyway. The mistakes are even dumber than you can imagine.”

The hacker Ursem notified the Chinese company last year, after which the password would be changed quickly. But when the ethical hacker tries to log in again with the old password in February of this year, he just logs in again. Professor Pras considers it very unprofessional that the Chinese company treats its security in this way.

In the online environment of SolarMAN you can see exactly where the inverters are located. In the Netherlands there are more than 40,000 places. Worldwide, this involves more than a million locations, mainly in China and Australia.

Sabotaging solar panels

It was also possible to download, change and upload the technical controls of the devices to the inverters, says Frank Breedijk from the Dutch Institute of Vulnerability Disclosure (DIVD) to RTL Nieuws.

“If you can tweak the software on the devices, you can do nasty things,” says Georgios Smaragdakis, professor of cyber security at TU Delft. This way you can turn off the devices remotely. As a result, you can no longer use generated solar energy for your own home or feed it back into the grid. Expensive solar panels are therefore useless.

The DIVD

The Dutch Institute for Vulnerability Disclosure (DIVD) is an organization of hackers and security researchers who want to make the Internet safer. They do this by informing companies and organizations about existing vulnerabilities.

In this case, the DIVD collaborated with the National Cyber ​​​​Security Center (NCSC) of the Dutch government. He contacted the Chinese authorities in February and April to get hold of the company behind SolarMAN.

On July 2, the password was again changed and the page where it was online was removed. SolarMAN says in a response to RTL Nieuws that it was only aware of the matter at the beginning of July.

If a malicious person controls enough inverters, it would also be possible to load the power grid. “With tens of thousands of devices, probably spread all over the Netherlands, it was difficult to really damage the power grid in this case,” says Smaragdakis. “You’ll need hundreds of thousands for that.”

That doesn’t mean there was no danger. “A hacker can adjust the security settings around the voltage in such a way that the thing catches fire,” says Pras from the University of Twente.

The Danish Telecom Agency confirms the mentioned vulnerabilities. If devices are not properly secured, people can lose income from, among other things, solar energy. The regulator also points out a fire hazard and, in the worst case, power cuts on the power grid.

“If the inverter is connected to your own WiFi network, a hacker can also shut down your internet,” says the internet security professor.

“If you can completely reprogram an inverter, you can also break it or exclude the supplier,” says Breedijk from DIVD, who today presented the case on stage at a hacker festival in Zeewolde. “In fact, you can make the device dance to your liking.”

Bigger problem

It is not the first time that equipment around solar panels has been found to be vulnerable. In 2017, the hacker Willem Westerhof showed at the same hacker festival that he could hack a German manufacturer of inverters.

“I then deliberately went looking for a company that, in my opinion, would be the best secured,” the hacker recalls. “I wanted to show that the situation with the rest would probably be much worse.”

It won’t be the last time, experts predict. “It’s naive to think that this is the only manufacturer that handles security unprofessionally,” says Pras.

‘More and more dangerous’

“There’s a good chance we’ll see this more often,” says TU Delft’s Smaragdakis. “Next time it could be a hack of hundreds of thousands of devices.”

Smaragdakis: “Unfortunately, more and more devices are connected to the Internet. That’s where the problems start. Anyone from all over the world can connect to it.”

“That’s the problem,” says Westerhof. “This shows that someone who can do a little Googling can suddenly get into our devices. It can be anyone who wants to cause harm. It’s getting more and more dangerous.”

Reply SolarMAN

SolarMAN says in a response that the password only gave access to a test environment. Nevertheless, data from real customers could be seen there, such as Vlissingen municipality. He says that he has disconnected the inverters from the Internet.

The Chinese company confirms that it was indeed possible to change the software of the inverters, but states that there were additional security measures to take control.

As far as is known, the incident did not cause any real damage and the leak has now been closed. SolarMAN states that it works with DIVD to make their products safe.

Leave a Comment