Hacker was able to modify software of solar panels with Chinese Solarman inverters
The Dutch hacker Jelle Ursem managed to gain access to the system of the Chinese Solarman, which manages and monitors solar panels. He could view and change the names and addresses of customers. It was also possible to adjust the firmware of the inverters.
Ursem, who is known on Tweakers as SchizoDuckie, went to investigate in response to a tweet by ethical hacker Célistine Oosting. Ursem found the system’s credentials through GitHub and accessed Solarman’s admin portal, reports Follow the Money. The password consisted of a Chinese name with ‘123’ after it. Two-factor authentication was not enabled. As an ethical hacker, Ursem often searches GitHub and similar platforms for repos that store passwords or API keys. Tweakers spoke to him about this earlier this year.
With the login details it was possible to view the personal data of Dutch customers. Ursem says he was able to create new users and delete existing users. In addition, he could view, among other things, the GPS coordinates and the amount of power generated by the solar panels. It was also possible to download, modify and upload the firmware of the inverters.
Attackers with access to the system could even disable or disable Solarman customers’ solar panels remotely. In addition, a hacker could Internet of solar panel owners can go down when the inverter is connected to the home Wi-Fi network. There is also a risk of fire if the protection settings around the voltage are adjusted in a certain way.
Oosting discovered that customer data is being sent to China, which is in violation of the GDPR. China can also remotely manage the inverters of solar panels installed in the Netherlands. And that while Chinese companies because of too great a risk to state security no vital parts of the Dutch power grid may be built in the North Sea.
Last year, Ursem sounded the alarm at the Dutch Institute for Vulnerability Disclosure. That then sent an email to Solarman. There was no response, but the password was changed. In February of this year, however, Ursem discovered that the old password worked again. The leak has now been fixed. As far as is known, it has not caused any damage.
Solarman, which has more than 42,000 customers in the Netherlands, claims in a response to RTL Nieuws that the password only gave access to a test environment, but admits that it was possible to modify the software of the inverters.
Update, July 25: A previous version of this article stated that Solarman supplies inverters for solar panels. However, it concerns monitoring software for inverters.
Update, Sept. 4: This article stated that Ursem discovered that customer data was being sent to China. This is incorrect. It was ethical hacker Célistine Oosting who discovered this. The article has therefore been amended.