New Bluetooth Vulnerability Should Be A Wake-Up Call To Solar Manufacturers

Bluetooth vulnerability and solar components

If you’ve been reading the tech press this week, you’ve probably noticed there’s a lot of noise about a security vulnerability in Bluetooth, known as “KNOB”, and I thought it gives us the chance to discuss Bluetooth security in the solar business.

The (extremely juvenile) acronym stands for Key Negotiation of Bluetooth, and the choice of acronym shows that at least some IT security researchers haven’t grown up since the 1990s!

The name refers to the part of Bluetooth the researchers attacked – the key that’s supposed to protect encrypted Bluetoooth communications. The “key” in this instance is the password the two Bluetooth devices agree on, so only they can decrypt the communications (for example, between your solar inverter and a data monitoring system).

When two Bluetooth devices are setting up their communication channel (the “negotiation” phase), they agree on how long that password is going to be – the longer, the better; but some devices have limited processing power and can’t process very long keys (say, 128 bits long). So the Bluetooth protocol allows two devices to agree that 32 bits is enough.

The security bug KNOB’s discoverers found is not in a particular device, but in the specification (which means every device that follows the spec might be vulnerable), and it’s a beauty: an attacker can force the devices to negotiate a password that’s so weak, they can decrypt the communication in real time.

As the researchers wrote on their website:

“an attacker is able to the listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired.”

So yeah, it’s a pretty bad bug if you have, for example, software on your PC or phone that’s sending control signals to your solar inverter – and if there’s a malicious somebody who wants to do you harm, and knows how to exploit the KNOB security vulnerability.

A “Fat” Standard Is Fertile Ground For Vulnerabilities

You could argue you’re unlikely to be attacked, and you’d probably be right, but I also wanted to pick up on a couple of related threads.

The first is Bluetooth itself. People love the convenience – just pair two devices and they can swap info easily (so long as you’re not trying to send a photo from my Huawei phone to my Acer Chromebook, they refuse to talk to each other), but it doesn’t have a great security record.

In response to my previous posts about the security of solar kit, a reader contacted me privately to remind me you don’t need fancy vulnerabilities on Bluetooth if the product doesn’t ask for strong passwords or if the solar installer leaves the default configuration in place.

But Bluetooth itself is home to a great many vulnerabilities, because the standard is thousands of pages long, making it hard for the people who implement it in chipsets and in software to “get it right” without making mistakes.

The result, as expert Ben Seri of security outfit Armis told Wired last year (discussing another Bluetooth vulnerability called BlueBorne), is:

“the complexity means it’s really hard to know how you should use it if you’re a manufacturer”.

Bluetooth’s security problems go back a long way – it was back in 2004 that Bluetooth was first used in a “proof of concept” to spread a virus from one device to another.

Also, “Class 1” Bluetooth has a range of up to 100 metres, and devices such as solar inverters are often installed on outside walls.

Really, if you don’t absolutely need Bluetooth on your solar kit, turn it off.

My other concern is manufacturers in this industry are lagging behind the “best of the best”, when it comes to disclosing and patching security bugs.

Over the 20 years since the world started collecting and disseminating IT security information, the networking equipment and software vendor Cisco has become one of the best at responding to security threats. On this dedicated web page, the company publishes all new vulnerabilities discovered in its products, warns customers about the severity of the vulnerabilities, and tells them how to get fixes.

The home solar energy sector falls far short of Cisco’s dedication to customer security – it’s not uncommon for vendors to have no security information on their websites whatever.

It’s inevitable that inverters, controllers, solar diverters and the like will have security vulnerabilities, and it’s also inevitable that those vulnerabilities will be made public. The only question is whether solar manufacturers are willing to get proactive, try to find the bugs before the “black hats” do, put patches in place, and find a way to ensure customers implement the patches.

About Richard Chirgwin

Richard Chirgwin is a journalist with more than 30 years' experience covering a wide range of technology topics, including electronics, telecommunications, computing and science.

Speak Your Mind

*

GET THE SOLARQUOTES WEEKLY NEWSLETTER