Hackers pwn the sun – Exploit code released for software used to manage solar energy plants

Department of Homeland SecurityBlack hat hackers can now take over photovoltaic solar arrays and harness their combined energy to create vaporizing solar death beams.

Well, that may be an exaggeration, but only a slight one.

The US Department of Homeland Security is warning about vulnerabilities in a common SCADA (supervisory control and data acquisition) package that is used to remotely monitor and manage solar energy-generating power plants.

The DHS’s ICS-CERT issued an advisory on Wednesday that exploit code was circulating on the internet for security holes affecting the Italian vendor Sinapsi’s eSolar Light Photovoltaic System Monitor.

The eSolar Light Photovoltaic System Monitor is a SCADA product that allows solar power stations to simultaneously monitor different components of photovoltaic arrays, such as photovoltaic inverters, energy meters, gauges and so on.

According to information released by the researchers Robert Paleari and Ivan Speziale, the Sinapsi eSolar product contains a number of critical security vulnerabilities that make the devices easily exploitable by remote attackers, who could gain administrative privileges and run arbitrary commands and code on vulnerable eSolar devices.

Those security holes include a slew of SQL injection vulnerabilities in webpages included with the device firmware. Among other things, the researchers found they could exploit SQL injection holes in the web based management interface to access the underlying MySQL database, gaining access to usernames and passwords for the device.

Solar panel, courtesy of ShutterstockPasswords, the researchers noted, were stored in plaintext.

And, in a pattern that has become distressingly common in the SCADA world, the researchers discovered hard coded administrative accounts for the Sinapsi devices.

The login.php page would accept a small number (two or three) of universal passwords that would grant access to the device regardless of what user login they were paired with.

ICS-CERT said in its advisory that the vulnerabilities, if successfully exploited, could allow attackers to remotely connect to the management server, “executing remote code, possibly affecting the availability and integrity of the device.”

The researchers disclosed the holes to Sinapsi in August, 2012 and released details of their findings on October 9, after failing to get a response, they said.

The impact of the security holes could be widespread. The Sinapsi eSolar management product is bundled with photovoltaic SCADA products from other vendors, as well. They include the Enerpoint eSolar Light, Astrid Green Power Guardian and Schneider Electric Ezylog Photovoltaic Management Server, according to ICS-CERT.

Solar panel and sunlight images courtesy of Shutterstock