August 9, 2024 at 02:48PM
An analysis of Solarman and Deye Cloud for managing solar power installations uncovered vulnerabilities in their cloud APIs. Bitdefender researchers found that unauthorized parties could alter inverter settings and access personally identifiable information via these APIs. Potential consequences include destabilizing the power grid and compromising a significant amount of solar energy production.
Key Meeting Takeaways:
1. Vulnerabilities in the cloud APIs of Solarman and Deye Cloud for managing solar power systems were reported by Bitdefender. These vulnerabilities could have enabled an attacker to control the inverters, access personally identifiable information, and potentially destabilize the power grid by forcing too much power into the network.
2. Bitdefender’s analysis revealed that Solarman’s API endpoints exposed an excessive amount of private information, allowing attackers to obtain GPS coordinates from solar installations and real-time production capability. Additionally, they found issues with Solarman’s /oauth2-s/oauth/token API endpoint, which could be exploited to generate authorization tokens for any regular or business account on the platform.
3. Deye Cloud, initially using Solarman’s platform, was found to have used a hardcoded account with a basic password (123456) to access devices, which could be exploited to expose sensitive information such as software versions and Wi-Fi credentials.
4. The potential impact of successful attacks includes collecting troves of personally identifiable information, misconfiguring grid injection parameters, and causing financial impact by instructing inverter setups to draw power from the grid during peak demand times.
5. Both Solarman and Deye Cloud have addressed the reported issues.
Please let me know if you require further details or any additional information.