Posted on 08/02/2016 1:37:31 PM PDT by MarchonDC09122009
Security Expert: Solar Panels Are Extremely Easy To Hack
http://dailycallernewsfoundation.org/2016/08/02/security-expert-solar-panels-are-extremely-easy-to-hack/
Security Expert: Solar Panels Are Extremely Easy To Hack
Andrew Follett on August 2, 2016
A conference of cybersecurity experts is meeting in Las Vegas this Friday to discuss how rooftop solar panels make homes much easier to hack.
The experts found that a malicious hacker can easily knock solar panels offline, cause them to intentionally overheat or shut down entirely. Some hacking can even use solar panels to cause physical damage in the real world.
“I could have installed spying software that would have had visibility into their home networks, seeing their emails and everything they did online,” Frederic Bret-Mounet, a cybersecurity expert who will speak at the Friday conference."
The bad old days of shoveling coal into a furnace are looking better and better.
.
The article begs the question of why solar panels exist that have any infrastructure for passwords and an administrator, and why suddenly a homeowner wants or needs such a thing.
Related details:
This Man Hacked His Own Solar Panels... And Claims 1,000 More Homes Vulnerable
Aug 1, 2016 @ 10:00 AM
This Man Hacked His Own Solar Panels... And Claims 1,000 More Homes Vulnerable
Thomas Fox-Brewster ,
Forbes Staff
I cover crime, privacy and security in digital and physical forms.
In this June 18, 2010, file photo, U.S. Senator Michael Bennet, D-Colo., center, helps as SolarCity employees Jarret Esposito, left, and Jake Torwatzky, install a solar panel on a home in south Denver. (AP Photo/Ed Andrieski)
Fred Bret-Mounet knows how best to secure his home: by hacking it.
When he equipped his house with a solar array – “like any good Californian” – his first thought was to test its security. After all, it was connected to the internet. Ergo, it almost certainly had some vulnerabilities. He wasn’t to be disappointed. The problems he found, according to the security pro, could have allowed him spy on and hack the power supply of at least 1,000 homes.
His first concern was an open Wi-Fi access point being served from his solar array’s Management Unit (MMU), a product from Tigo Energy, a device that allows panels to be controlled and monitored from the web. If anyone could login to that, they would have a good chance of spying on his home network, Bret-Mounet told FORBES. “Anyone within Wi-Fi range could connect to that device and potentially jump onto my home network, which is absolutely scary.”
A few weeks later, in October last year, Bret-Mounet found far more serious problems. One service on his Tigo was served over an unencrypted HTTP connection. When he connected to the server, it asked for a username and password. So, for 36 hours, he left his PC running a brute force attack on that service to guess the username and password. Turned out, they were easily-guessable: “admin” and “support”. If he had been able to find other Tigo systems with the same default login, he could have made configuration changes to each panel, altering maximum tolerances and limits. Effectively, he could have shut down any affected user’s solar power setup.
He chose not to test that power on his own system: “I was careful about not destroying my brand new toy.” But using search tool Shodan – a useful site for finding vulnerable machines on the web – he was able to uncover a handful of those Tigo systems that were wide open on the public internet, meaning he could have quickly located and hacked them, if he were maliciously inclined.
Pretending to be a malicious hacker, he used the access to that configuration service – supposedly to be used by Tigo’s staff for remote servicing of its devices – to look around for other weaknesses. Soon enough, using a command injection attack, Bret-Mounet was able to get root-level access to his solar panel controller; in other words, he could now do anything to his own panels.
Recommended by Forbes
What he found next was nasty: a virtual private network (VPN) connection that all Tigo devices went through. “If I’d gone through that tunnel I would have reached any of them,” he claimed, indicating that if he’d simply connected through the VPN to the Tigo server, he would have been able to control anyone’s solar panels. He would also have been able to jump onto connected home networks, Bret-Mounet claimed.
“Yes it’s bad I could have shut down a small-to-medium electricity generation facility in aggregate, but my personal belief is that I could have used those as Trojan horses to attack targets that happened to have that type of solar panel.” He theorized setting up a vast botnet of solar panels.
Long vulnerability disclosure
He disclosed the issues way back in October. By December, Tigo had thanked Bret-Mounet for his research and confirmed it was in the process of fixing the issues.
But Tigo came back with a surprise: they’d mistakenly given him a development device, as they had with 1,000 others. Only those devices, they claimed, were vulnerable.
Though skeptical at first, Bret-Mounet was soon convinced. He took his car and hacking equipment out across California, scanning for the Tigo devices like his own. He found none. Then Tigo sent him a production model. The vulnerabilities weren’t present. Tigo, it appeared, were telling the truth.
The company hadn’t responded to repeated requests for comment. Emails seen by FORBES showed in-depth correspondence between Bret-Mounet and various Tigo staff from October 2015 onwards. In one message dated June 23 between Bret-Mounet and Maxym Makhota, vice president of software development at Tigo, the latter confirmed around 1,000 vulnerable development units were in use and were being replaced.
Makhota had previously written to the pro hacker that the HTTP server, the VPN and open Wi-Fi issues were not resident in production units. He rewarded Bret-Mounet with a $250 Amazon gift card as a thank-you and remotely closed off the vulnerabilities on his server, before offering him a new production unit.
The VP also admitted to the numerous issues uncovered by Bret-Mounet. “Labeled and accessible console port, missing secure boot, same root password for all the units, hard-coded passwords, weak passwords, missing input validation on all fields – this is definitely a design problem that must be fixed,” Makhota wrote.
Despite all the firm’s promises over the last eight months, it remains unclear how many unsecured devices are out in the real world. Bret-Mounet is continuing to probe his production Tigo. Thankfully for users, he’s not yet been successful.
He’ll be detailing his findings in full at the DEF CON conference in Las Vegas this week.
Energy systems have been found vulnerable to hackers frequently over the last year. In mid-2015, German security Maxim Rupp reported serious weaknesses in three separate wind turbine and solar system control systems. Just like in Bret-Mounet’s case, he could have taken control of those critical infrastructure machines and shut them down for good.
And hackers are actively targeting energy production plants. A power outage in Ukraine just before Christmas 2015 was caused by hackers, an attack some blamed on Russia. The US has charged Iranian individuals for an attack on a New York dam, though the breach caused no physical damage.
Home temperature control panel and electric meter are easy to hack.
Mine are not online. No hackey.
I fail to see the need to hook solar panels up to the Internet in the first place. Is it so that you can monitor how much power they are generating? Why would you need that unless you were made a guarantee about how much power they would generate?
Why in the #311 are solar panels connected in a data network to begin with? Just connect the d@mn things to the batteries/inverter whatever and be done with it.
Just a guess here but could it have to do with selling your excess power back to the power company? That was a big selling point of solar systems.
I was just thinking that same exact thing.
Done right, with custom access point names, IOT endpoints and their data never get exposed to the public Internet, and the data are always encrypted.
Just need the right tools and layers in place.
I believe Samsung Knox is standard with their smart refrigerators ...
Because it’s fun. Wouldn’t you get a kick seeing what time of day, season, etc would get you what kind of power? How about seeing the moon generate a teeny weeny bit of power?
ping
Hai Fat’s construction company used solar panels that tracked the sun.
That solex gadget worked real well that way.
The power meter takes care of that.
I figured this one out last month.
Easy to prevent but it requires two isolated wireless networks to correct the problem.
It is a fad. Everything has to be put under Internet control, even bricks.
Probably if you are going to sell the power back to the grid, you need an external connection to monitor it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.