A few months after I wrote about security in the home renewables space, a Brisbane engineer bought a Sungrow SH5k-20 inverter, decided to “poke around”, and claims to have turned up a crop of serious security vulnerabilities.
Sungrow’s response? Angry denial that any security threat exists, a claim that it would take “extraordinary efforts and expertise” to attack its equipment, a legal threat against the researcher (who the company labels as a “perpetrator”), and a demand that “all concerned” (we think this includes this blog) not “forward the Misleading Information any further”. Here is a copy of the letter.
So what’s the argument about? According to the researcher, who requested anonymity but told SolarQuotes we could refer to him as Travis, the built-in Wi-Fi hotspot in the inverter is insecure.
He said the hotspot is enabled by default, and there’s no software option to disable it – it has to be physically removed following the instructions here.
Since SolarQuotes doesn’t have the allegedly-vulnerable unit available, we can’t directly confirm the veracity of the researcher’s claims – however, the kinds of implementation mistakes he described to us are depressingly common.
Travis told us connection to the Wi-Fi hotspot is made using Sungrow’s smartphone app, which passes “many installer-level credentials” without encryption, and the hotspot has a hidden Web interface that’s also accessible without authentication.
“With minimal effort”, he said, an attacker can extract credentials and users’ Wi-Fi passwords.
On his disclosure page, Travis describes the ways he believes an attacker could disrupt a target system.
While the “approved” method for connecting to the Wi-Fi is the Sungrow app, the hotspot is open and will show up to a Wi-Fi scan as SG-########### (the hashes are the serial number), and anyone can connect without a password. As is typical with Wi-Fi systems, in the open air the range could be as much as 150 metres, so an attacker could easily get to a system without being seen by the owner (the inverter is rated for installation on external walls).
The disclosure outlines a few possible attack scenarios: it says the customer’s home network is at risk; malicious misconfiguration puts the user’s battery installation at risk; and a more skilled attacker could act as a man-in-the-middle between the smartphone app and the inverter.
As well as advising Sungrow, Travis told SolarQuotes he has contacted various government entities including the Australian Federal Police, and said the information has been passed to the Clean Energy Council. We have asked the CEC to confirm whether or not it is aware of the alleged vulnerabilities.
Comment: Vulnerability Disclosure
After a couple of decades writing about technology and security, I find Sungrow’s response anachronistic. Technology companies like Cisco, Microsoft, Intel and the like have, over time, developed a proactive and co-operative approach to security disclosures.
Here is a typical example, from network router giant Cisco. The advisory describes the vulnerability in detail, tells customers how to get fixes, and at the bottom, thanks “Steven Seeley … of Source Incite, working with Trend Micro’s Zero Day Initiative”.
Now that a disclosure has been published, other people or organisations – some of them will almost certainly be accredited security researchers – can easily either replicate or discredit Travis’s findings.
Computer and communications companies have well-established, transparent, and public processes for handling alleged security vulnerabilities. Renewable energy is part of the same industry – we embed computers into products and give them communications interfaces for remote control. We would do well to adopt the same approach to security.