A Brisbane researcher has alleged serious security vulnerabilities in a Sungrow inverter. Sungrow are not happy with him.
Update: patch available – see end of story
A few months after I wrote about security in the home renewables space, a Brisbane engineer bought a Sungrow SH5k-20 inverter, decided to “poke around”, and claims to have turned up a crop of serious security vulnerabilities.
Sungrow’s response? Angry denial that any security threat exists, a claim that it would take “extraordinary efforts and expertise” to attack its equipment, a legal threat against the researcher (who the company labels as a “perpetrator”), and a demand that “all concerned” (we think this includes this blog) not “forward the Misleading Information any further”. Here is a copy of the letter.
So what’s the argument about? According to the researcher, who requested anonymity but told SolarQuotes we could refer to him as Travis, the built-in Wi-Fi hotspot in the inverter is insecure.
He said the hotspot is enabled by default, and there’s no software option to disable it – it has to be physically removed following the instructions here.
Since SolarQuotes doesn’t have the allegedly-vulnerable unit available, we can’t directly confirm the veracity of the researcher’s claims – however, the kinds of implementation mistakes he described to us are depressingly common.
Travis told us connection to the Wi-Fi hotspot is made using Sungrow’s smartphone app, which passes “many installer-level credentials” without encryption, and the hotspot has a hidden Web interface that’s also accessible without authentication.
“With minimal effort”, he said, an attacker can extract credentials and users’ Wi-Fi passwords.
On his disclosure page, Travis describes the ways he believes an attacker could disrupt a target system.
While the “approved” method for connecting to the Wi-Fi is the Sungrow app, the hotspot is open and will show up to a Wi-Fi scan as SG-########### (the hashes are the serial number), and anyone can connect without a password. As is typical with Wi-Fi systems, in the open air the range could be as much as 150 metres, so an attacker could easily get to a system without being seen by the owner (the inverter is rated for installation on external walls).
The disclosure outlines a few possible attack scenarios: it says the customer’s home network is at risk; malicious misconfiguration puts the user’s battery installation at risk; and a more skilled attacker could act as a man-in-the-middle between the smartphone app and the inverter.
As well as advising Sungrow, Travis told SolarQuotes he has contacted various government entities including the Australian Federal Police, and said the information has been passed to the Clean Energy Council. We have asked the CEC to confirm whether or not it is aware of the alleged vulnerabilities.
Comment: Vulnerability Disclosure
After a couple of decades writing about technology and security, I find Sungrow’s response anachronistic. Technology companies like Cisco, Microsoft, Intel and the like have, over time, developed a proactive and co-operative approach to security disclosures.
Here is a typical example, from network router giant Cisco. The advisory describes the vulnerability in detail, tells customers how to get fixes, and at the bottom, thanks “Steven Seeley … of Source Incite, working with Trend Micro’s Zero Day Initiative”.
Now that a disclosure has been published, other people or organisations – some of them will almost certainly be accredited security researchers – can easily either replicate or discredit Travis’s findings.
Computer and communications companies have well-established, transparent, and public processes for handling alleged security vulnerabilities. Renewable energy is part of the same industry – we embed computers into products and give them communications interfaces for remote control. We would do well to adopt the same approach to security.
Update: Patch available
Good news: the company has now shipped firmware that plugs the bug.
The researcher alerted us to an update to his vulnerability disclosure, announcing the availability of the fix. Sungrow has an explanatory video here, and PDF instructions here.
We’re pleased to read that the researcher and Sungrow have settled their differences, and that the company has paid him a bug bounty for his discovery. Well done, Sungrow.
About Richard Chirgwin
RSS - Posts
Sounds very similar to how the Tesla PW2 works – it enables a permanent hotspot for installer or user access. I don’t believe there’s a way to disable, however the hotspot has limited range; thus if you were that close and wanted to do damage you could simply start pulling on cables 😉 The access p/w is based upon the serial number, again easily obtained from the sticker on the gateway if you’re near the physical equipment.
Thank you – another excellent article.
I find that important issues are only discussed in these blogs, so well done everyone.
Providing links to previous blogs in the current article is a terrific help to learn more.
Recently there was an article in the Australian newspaper concerning solar panel safety and bush fires, and safety for the firies.
I summarised Ronald Brakels blog, and congratulated him on his article, mentioning him by name.
I chose not to mention Solar Quotes, as this is usually the KOD, causing that comment to be rejected by the moderators.
correct me if im wrong.
Dont the AV range of SMA have an active hotspot?
I dont feel this is limited to Sungrow, but as they were the test dummy, people will jump to conclusions.
Still a solid unit in my eyes
I’ve had simillarly less than useful discussions with Sonnen recently.
I recently installed a 14kwh battery system
We had a few days of very low input from the array and so I contacted my installer about how I could program it to use off peak energy to recharge the battery.
They referred to Sonnen who advised this could only be done by a Sonnen technician. How I asked, would the Sonnen technician know when I had switched the physical switch between OP1 and time of use.
He stated I could not not DIY under their warranty
At the end of the day I discovered that this is in userland with a user called ‘User’ with a password that they do not disclose, although can be found online
I am now programming my own battery using a python script and if they ever want to deny my warranty they can fight all they like. I have the Oz consumer law on my side
Never heard of a ‘battery-charger’ and ‘jumper-lead’??
In fact, about 40 years ago I realised a 120-amp auto alternator ($25 at the wrecker’s) run by a belt from a suitable stationary engine (try a motor-bike on a stand) could easily and quickly charge a largish battery-bank made up of used 1140ah batteries.
Mind you… they weren’t much good at carrying on conversations ~ perhaps because it was before wi-fi and assorted other pointless crap was available.
I sent them a email stating that I found their behaviour abhorrent & that I would no longer recommend their inverters.
Hopefully they up their game & issue a public apology.
Also, FYI, if you enable the local hotspot on an Enphase envoy, the password is the last 6 digits of the wifi address.
Not s huge breach, but if makers of wifi routers can generate unique addresses why do enphase struggle?
Odd that you have taken a side without actually evaluating the evidence. I would have thought you would give the company the opportunity to respond before making the statements.
I looked at the letter and it didn’t appear “angry” to me. It is what you would expect when there’s an allegation made.
In fact it appeared to address the issue in that they are constantly updating their firmwares and work with the CEC.
I have been reading your blog for years, but I’m not sure now.
Maybe (as a suggestion) you should publish the science behind the allegation for peer review and let the industry decide. Just sayin’
Hi,
I don’t see any evidence of “taking sides”, the article is reporting what has occurred.
I think the response is in the letter from Sungrow.
Don’t you think that people with Sungrow inverters would like to know about a possible security problem? Give them a choice to disable now, or wait. Pretty sure I would like to know.
Sungrow have had since Aug 2019. Why wait so long to respond?
First response is always to deny a problem. Has it ever been any different?
I’ve searched but can’t find any Sungrows nearby, otherwise I’d have a try. Pretty easy to prove or disprove, so why would Travis have bothered if it’s false?
dRdoS7
my chinese made sunnyboy frantically tried to call home (germany) upon connection. there is no option in the SB software to turn that off.I blocked it in the router.
all this connectivity I(di)OT adds risk and functionality that we did not ask for. an inverter needs to invert. just that.
Confucious say:- When all else fails get a bigger hammer.
Completely agree.
Being open to receiving “bad news” is a fundamental aspect of good management and good leadership. If you don’t encourage employees and clients to relay “bad news” then you will almost certainly receive even worse news later, when it’s much harder to deal with it.
Sungrow needs to adopt an openness to “bad news” about security matters and use the information gained to seek greater maturity in its information security stance.
(I have worked in the IT field for forty years and have been associated with IT security activity for about a decade)
The word from Grandma Duck is:- ALWAYS operate on the KISS principle.
(I gave up trying to have a relationship with machinery when my old Victa refused to do as I asked….. about 65 years ago. (I onoy realised later they had a masochistic streak built-in: given the regularity with which it provoked me to kick it!)
Thank you for putting up the Sungrow letter, this is important transparency.
I must say, though, as soon as I saw the –
“We were rated “100% bankable” by Bloomberg NEF among inverter firms in the latest survey” Sungrow lost all credibility with me.
Hopefully they are reading this blog and can re-orient their customer response.
I work in the Information Security industry and the response is not that surprising. I’m certainly not singling SunGrow out though as it wouldn’t surprise me if there are similar issues with other inverters. Unfortunately many IoT companies don’t factor in security during design. It’s only after a well meaning individual lets them know, or worse, when they get hacked, that security improves.
A few things in the letter that are worth pointing out:
* The comment ‘require extraordinary efforts and expertise by a hostile hacker’. Is unfortunately untrue. Yes you need physical proximity, but once nearby, the tools don’t need expert knowledge
* Secondly, the comment ‘well equipped with satisfactory levels of safety’. I’m sure they are, but ‘safety’ and ‘security’ are completely different things – almost mutually exclusive in-fact.
#SunGrow needs to enable a management & control service their embedded WiFi and IoT assets to operate safely and properly.
IMO at least the #UKGov is trying for a policy with some teeth “Mandatory Regs”
https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security/outcome/government-response-to-the-regulatory-proposals-for-consumer-internet-of-things-iot-security-consultation
“The regulatory proposals set out in the consultation advocated mandating the most important security requirements centred around aspects of the top three guidelines within the Code of Practice for Consumer IoT Security and the ETSI Technical Specification (TS) 103 645. These are outlined below:
1. IoT device passwords must be unique and not resettable to any universal factory setting.
2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
3. Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
Adhering to these three requirements is not a ‘silver bullet’ but they are the first practical step towards more secure devices. Achieving full market compliance with these three guidelines will ensure consumers are being given important protection against the most basic vulnerabilities, such as those which resulted in the Mirai Distributed Denial of Service (“DDOS”) attack in October 2016.”
#AusGov only has a Voluntary Code
https://which-50.com/government-releases-first-australian-iot-code-of-practice/
M_WIFI_RAK475_V25-V01_C.ZIP firmware has just been made available to download for the Wi-Fi V25 dongle model, other Vxx models have recent updates as well.
I wonder if this security lapse has been corrected ?
Just got a new update for my unit with an email detailing that the wifi connection is now locked down with a password, which is the serial number printed on each dongle.
So one would just need to walk up to the externally installed dongle, read the password and away you go?