Dutch hacker Jelle Ursem discovered the password in April 2021. At that time, the login details had been publicly available online for more than a year and a half. Anyone who knows where to find it can access the admin panel of the Chinese brand SolarMAN.

Transformers are needed to convert the generated electricity into usable electricity. Without these devices, solar panels are useless.

Totally unprofessional

“A password was accessible to everyone. We’re not that stupid, are we?” says Echo Brass, professor of Internet security at the University of Twente. “It happens anyway. Mistakes are stupider than you think.”

Hacker Ursem informed the Chinese company last year, after which the password will be quickly changed. But when the ethical hacker tried to log in again with the old password in February of this year, he just came back. Professor Brass finds it highly unprofessional for a Chinese company to treat its security in this way.

In SolarMAN’s online environment, you can see exactly where the inverters are located. The Netherlands has more than 40,000 places. Worldwide, this includes over a million locations, mainly in China and Australia.

sabotage solar panels

It was also possible to download, modify and upload the technical controls for the devices to the inverters, says Frank Predijk of the Netherlands Institute for Vulnerability Detection (DIVD) to RTL Nieuws.

“If you can tweak hardware software, you can do bad things,” says Georgios Smaragdakis, professor of cybersecurity at TU Delft. This way you can turn off the devices remotely. As a result, you can no longer use the solar energy generated for your home or return it to the power grid. So the expensive solar panels are useless.

DIVD

The Dutch Institute for Vulnerability Detection (DIVD) is an organization of hackers and security researchers who want to make the internet more secure. They do this by informing companies and organizations of vulnerabilities that exist.

In this case, DIVD has teamed up with the Dutch government’s National Cyber ​​Security Center (NCSC). Contact the Chinese authorities in February and April to reach out to the company behind SolarMAN.

On July 2, the password was changed again and the page that was online was removed. SolarMAN said in a response to RTL Nieuws that it only became aware of the matter at the beginning of July.

If a malicious person controls a sufficient number of inverters, it will also be possible to strain the power grid. “With tens of thousands of devices, probably scattered all over the Netherlands, it was really hard to damage the power grid in this case,” says Smaragdakis. “You will need hundreds of thousands for that.”

This does not mean that there was no danger. “A hacker can modify the security settings around the voltage in such a way that the thing catches fire,” says Brass of the University of Twente.

The communications agency confirms the vulnerabilities mentioned. If the devices are not secured properly, people could lose income from solar energy, among other things. The regulator also indicates a risk of fire and, in the worst case, a power outage on the power grid.

“If the inverter is connected to your WiFi, a hacker can also shut down your internet,” says the internet security professor.

“If you can completely reprogram the inverter, you can also break it or throw out the resource,” says DIVD’s Breedijk, who presented the case today on stage at the Pirates Festival in Zeewolde. “In fact, you can make the instrument dance to your liking.”

Bigger problem

This isn’t the first time that equipment around solar panels has been shown to be at risk. In 2017, hacker Willem Westerhof showed at the same hacker festival that he could hack a German transformer manufacturer.

“I then consciously went looking for a company that would, in my opinion, be the best secured,” the hacker recalls. “I wanted to show that the situation with the rest is probably much worse.”

Experts predict that this will not be the last time. “It is naive to think that this is the only manufacturer that deals with security unprofessionally,” says Brass.

“more and more dangerous”

“There’s a good chance we’ll see this a lot,” says Smaragdakis of TU Delft. “Next time there may be a hack of hundreds of thousands of devices.”

Smaragdakis: “Unfortunately, more and more devices are connected to the Internet. This is where the problems begin. Anyone from all over the world can connect to it.”

“That’s the problem,” Westerhof says. “This shows that anyone who can do a little bit of searching on Google can suddenly get into our devices. This could be anyone who wants to cause harm. And this is getting more and more dangerous.”

SolarMAN . response

SolarMAN said in its response that the password only allowed access to a test environment. However, data from real customers can be seen there, such as Vlissingen municipality. He says he disconnected from the internet.

The Chinese company assures that it was indeed possible to modify the transformer program, but notes that there are additional guarantees of control.

As far as is known, the accident did not cause any real damage and the leak is now closed. SolarMAN reports that it is working with DIVD to make their products safe.