A Dutch researcher says he found a way to cause mischief on power grids by exploiting software bugs in solar power systems.
Specifically, Willem Westerhof, a cybersecurity researcher at ITsec, said he uncovered worrying flaws within power inverters – the electrical gear turns direct current from solar panels into alternating current that can be fed into national grids.
These vulnerabilities could be exploited remotely if the equipment was connected to a network accessible to an attacker, it is claimed: a hacker on the same LAN, or reaching an internet-facing inverter from the other side of the world, could get busy abusing the bugs to control the amount of juice going out onto the grid.
Westerhof said he discovered 21 vulnerabilities in inverters manufactured by German specialists SMA Solar Technology, which sells more than $1bn of kit every year. Since at its daily power generation peak, solar accounts for almost half of Germany's energy production, an inverter hack would have serious consequences.
"In Europe there is over 90 GW of [photovoltaic] power installed. An attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several GigaWatts, causing massive balancing issues which may lead to large-scale power outages," he said.
The attack scenario – which Westerhof named Horus after the Egyptian god of the sun – would involve hackers subverting a large number of inverters. He argues these could be hijacked and programmed to either:
- Flood power onto the grid, causing other generators to shut down to prevent the network overloading, or
- Underpower the grid to cause brownouts or blackouts.
Causing massive fluctuations – gigawatts-worth – in power generation in a very short time period would be rather irritating if done at peak solar panel generating time. He cited the 2015 solar eclipse over Germany, which caused a massive drop-off in power generation. Because this happened at a predictable time, the solar slump was manageable. But an attack at random moments and high speed would cause major problems.
After examining SMA's inverters, Westerhof contacted the manufacturer in December with his findings, following responsible disclosure best practices. However, he ran into a morass of buck-passing over fixing the issue, which is why the publication of his research was delayed to this month.
Full technical details of the bugs have been withheld for security reasons, however the descriptions give you an idea of the scope of the risk:
- CVE-2017-9851: By sending nonsense data or setting up a TELNET session to the database port of [SMA's] Sunny Explorer, the application can be crashed.
- CVE-2017-9852: An Incorrect Password Management issue was discovered in SMA Solar Technology products. Default passwords exist that are rarely changed. User passwords will almost always be default. Installer passwords are expected to be default or similar across installations installed by the same company (but are sometimes changed). Hidden user accounts have (at least in some cases, though more research is required to test this for all hidden user accounts) a fixed password for all devices; it can never be changed by a user. Other vulnerabilities exist that allow an attacker to get the passwords of these hidden user accounts.
- CVE-2017-9853: All inverters have a very weak password policy for the user and installer password. No complexity requirements or length requirements are set. Also, strong passwords are impossible due to a maximum of 12 characters and a limited set of characters.
- CVE-2017-9854: By sniffing for specific packets on the localhost, plaintext passwords can be obtained as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device.
- CVE-2017-9855: A secondary authentication system is available for Installers called the Grid Guard system. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters.
- CVE-2017-9856: Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are "encrypted" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and authenticate to the device.
- CVE-2017-9857: The SMAdata2+ communication protocol does not properly use authentication with encryption: it is vulnerable to man in the middle, packet injection, and replay attacks. Any setting change, authentication packet, scouting packet, etc. can be replayed, injected, or used for a man in the middle session. All functionalities available in Sunny Explorer can effectively be done from anywhere within the network as long as an attacker gets the packet setup correctly. This includes the authentication process for all (including hidden) access levels and the changing of settings in accordance with the gained access rights. Furthermore, because the SMAdata2+ communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications.
- CVE-2017-9858: By sending crafted packets to an inverter and observing the response, active and inactive user accounts can be determined. This aids in further attacks (such as a brute force attack) as one now knows exactly which users exist and which do not.
- CVE-2017-9859: The inverters make use of a weak hashing algorithm to encrypt the password for REGISTER requests. This hashing algorithm can be cracked relatively easily. An attacker will likely be able to crack the password using offline crackers. This cracked password can then be used to register at the SMA servers.
- CVE-2017-9860: An attacker can use Sunny Explorer or the SMAdata2+ network protocol to update the device firmware without ever having to authenticate. If an attacker is able to create a custom firmware version that is accepted by the inverter, the inverter is compromised completely. This allows the attacker to do nearly anything: for example, giving access to the local OS, creating a botnet, using the inverters as a stepping stone into companies, etc. References
- CVE-2017-9861: The SIP implementation does not properly use authentication with encryption: it is vulnerable to replay attacks, packet injection attacks, and man in the middle attacks. An attacker is able to successfully use SIP to communicate with the device from anywhere within the LAN. An attacker may use this to crash the device, stop it from communicating with the SMA servers, exploit known SIP vulnerabilities, or find sensitive information from the SIP communications. Furthermore, because the SIP communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications. For example, passwords can be extracted. References
- CVE-2017-9862: When signed into Sunny Explorer with a wrong password, it is possible to create a debug report, disclosing information regarding the application and allowing the attacker to create and save a .txt file with contents to his liking. An attacker may use this for information disclosure, or to write a file to normally unavailable locations on the local system.
- CVE-2017-9863: If a user simultaneously has Sunny Explorer running and visits a malicious host, cross-site request forgery can be used to change settings in the inverters (for example, issuing a POST request to change the user password). All Sunny Explorer settings available to the authenticated user are also available to the attacker. (In some cases, this also includes changing settings that the user has no access to.) This may result in complete compromise of the device.
- CVE-2017-9864: An attacker can change the plant time even when not authenticated in any way. This changes the system time, possibly affecting lockout policies and random-number generators based on timestamps, and makes timestamps for data analysis unreliable.
"Government officials state that the energy sector should work out how to deal with these issues themselves. They can only play a role in the form of advising and consultancy to the sector," he explained.
"Power grid regulators state that vendors are responsible for creating secure devices. Vendors then state that users are responsible for making sure the device is in a 100 per cent secure environment. Users state that they can't all be cybersecurity experts and it should be secure out of the box. All in all, everyone was simply pointing to another one."
In the end, SMA patched the vulnerabilities in its kit, fixes are rolling out, energy grid bosses agreed to get the matter onto the agenda at their next security conference, and governments agreed to coordinate to harden up their systems, we're told. ®