‘Leak in inverters to abuse solar panels in attack on power supply’

Many thousands of solar panel inverters contain vulnerabilities that can be exploited to disable the panels remotely. That’s what a security researcher claims. The Ministry of Economic Affairs is investigating the claims.

Researcher Willem Westerhof of the Haarlem security company ITsec investigated inverters from market leader SMA and discovered a series of security problems. Among other things, he points out to De Volkskrant the risk of using standard passwords.

An SMA document states that the default password for ‘users’ is ‘0000’ and for ‘installers’ it is ‘1111’. Users can read information and adjust basic settings, installers can also change installation parameters. According to Westerhof, the user is not asked to change his password. The installation document does contain recommendations on how to change passwords.

According to Westerhof, malicious parties can anyway carry out a brute force attack to find out the password; the inverters would not be protected against this. He also talks about a ‘super password’ that could be used to gain access to any device. He may be referring to the SMA Grid Guard code that gives access to the substation in the inverter and which electricians can receive on request.

According to the researcher, it is possible to install malware and thus disable large numbers of inverters in one fell swoop. In theory, this could have a major impact on the stability of the electricity network. He discussed the vulnerabilities with SMA late last year, but they haven’t done much since.

The Ministry of Economic Affairs is in consultation with Tennet and the National Cyber ​​Security Center about the findings. The ministry states ‘to take measures if it turns out that this is necessary’. SMA speaks of ‘some very isolated products’ and carrying out ‘technical corrections’. The company has reported the vulnerabilities to the Common Vulnerabilities and Exposures Authority, which will publish this Friday.