Cybersecurity researchers have revealed 46 critical security vulnerabilities in products provided by three prominent solar power system manufacturers: Sungrow, Growatt, and SMA. These vulnerabilities may allow malicious actors to commandeer affected devices or execute remote code, posing significant risks to electrical grid stability.
Designated as SUN:DOWN by Forescout Vedere Labs, these vulnerabilities have far-reaching implications, as attackers could exploit them to execute arbitrary commands on devices or cloud services, compromise accounts, and gain unauthorized access to users’ inverters. The potential for severe disruption to electrical grids is alarming.
According to the report, these flaws encompass a wide range of security issues. For instance, attackers can upload harmful .aspx files to SMA’s web server, enabling remote code execution. Other vulnerabilities allow unauthorized users to enumerate usernames and access sensitive information related to users’ plants and devices via insecure API endpoints. Such exposures could lead to account takeovers or even enable privilege escalation.
The associated Android app from Sungrow presents further risks due to an insecure AES key used for data encryption, which makes it susceptible to interception and decryption of communications. Additionally, vulnerabilities in the app disregard certificate errors, rendering it vulnerable to adversarial man-in-the-middle attacks. This concatenation of security gaps significantly heightens the risk of unauthorized access to infrastructure.
Forescout warns that an attacker could, for instance, exploit Growatt’s API to determine valid usernames, reset their passwords to common defaults, and instigate further exploitation. The ramifications of such a scenario could allow an attacker to take control of many devices concurrently, potentially transforming them into a botnet capable of launching extensive attacks against power grids.
These vulnerabilities highlight potential tactics and techniques found in the MITRE ATT&CK framework, including initial access via poorly secured APIs, persistence through compromised accounts, and privilege escalation through exposed device controls. Attackers could use these methods to both compromise multiple devices and risk significant disruptions to power delivery.
All three vendors have since addressed these vulnerabilities following responsible disclosure protocols. SMA, for example, confirmed the rectification of the issue related to its Sunny Portal on December 19, 2024, though it stated that there has been no evidence of real-world exploitation of the flaw.
As the complexity of cyber threats grows, these findings serve as a stark reminder for businesses in the renewable energy sector to implement stringent security measures when deploying solar technology. Regular risk assessments and comprehensive visibility into networked devices are essential in mitigating potential risks associated with vulnerabilities.
This disclosure arrives in a context where security flaws have also been identified in production line monitoring cameras from Japanese firm Inaba Denki Sangyo, raising serious concerns about remote surveillance capabilities and the ability to interfere with crucial operational data. The need for fortified cybersecurity remains critical, particularly as industries increasingly become reliant on interconnected technologies.
(The story was updated to clarify that the vulnerability discovered in SMA specifically impacted its Sunny Portal rather than its inverters, adjusting the headline to accurately reflect this distinction.)
