DIVD-2022-00009 - SolarMan backend administrator account/password

Our reference DIVD-2022-00009
Case lead Frank Breedijk
Researcher(s)
CVE(s)
  • n/a
Products
  • SolarMan converters/loggers/batteries
  • Solis converters/loggers/batteries
  • Omnik converters/loggers/batteries
  • Ginlong converters/loggers/batteries
Versions
  • Not researched
Recommendation Consider the risks when using these products
Patch status n/a
Workaround n/a
Status Closed
Last modified 23 Jul 2022 21:28

Summary

Triggered by a tweet from Célistine Oosting, Jelle Ursem decides to look for SolarMan credits and finds a (now removed) GitHub repository containing a username and password.

Screenshot of the repo and the passwords (blurred)

Turns out this is indeed the Super Admin account and working password. Since the account doesn’t have MFA Jelle was able to log in with the username and password.

Screenshot of Super Admin access

This backend and the Super Administrator account give the ability to:

In the SolarMan platform, there are almost 1,000,000 plants (installations) with a total power of over 10GwP (actually generated). Most systems are located in China and Australia, but a significant number of 40k+ in The Netherlands.

In the second half of April 2021, SolarMan gets notified and changes the password. On 3 Feb 2022, Jelle reads Jan van Kampen’s blogpost on Growatt and decides to check the password again. To his horror, the password has been changed back to the password in the GitHub repo.

On 4 Feb Jelle joins DIVD and on 6 Feb we opened this case.

Getting the account closed turned out to be hard. The first time the vendor responded promptly, but silently. In fact, neither we nor the NCSC-NL ever got any reply from them. NCSC-NL used the help of the Dutch Embassy in China and head of research Victor Gevers visited the Chinese Embassy in The Hague, all in an effort to get into contact. In the end, the password has been changed and the repository deleted. Just before this Cert China confirmed receipt of the report to NCSC-NL.

The net effect of deleting the repository and resetting the password is that the number of parties with the ability to abuse this access has been reduced from “everybody that was able to find the password on GitHub” to the vendor and whoever can control the vendor.

What you can do

Not much. End users do not have any control over these events.

However, when installing smart devices please consider that:

What we are doing

This case has been closed. We are not taking any further action.

We will be presenting the details of this case at the MCH 2022, hack camp on Sunday 24 July at 12:40

Timeline

Date Description
05 Aug 2019 Password(s) committed to GitHub repository
05 Aug 2019-
24 Apr 2021		 Password exposed and service vulnerable - 1st time
16 Apr 2021 Célistine Oosting, tweets that Omnik converter is now uploading data to China (https://twitter.com/TheRealProcyon/status/1383154764213538816)
17 Apr 2021 Jelle finds working password for SolarMan Super Admin account in Github repo (https://twitter.com/SchizoDuckie/status/1383365466702237703)
17 Apr 2021 Vendor informed
24 Apr 2021 Password changed
03 Feb 2022 Jelle discovers that password was changed back to password in GitHub repo
03 Feb 2022-
02 Jul 2022		 Password exposed and service vulnerable - 1st time
06 Feb 2022 Case opened
06 Feb 2022 Vendor notified
07 Feb 2022 DIVD involves the Dutch National Cyber Security Center (NCSC)
20 Feb 2022 NCSC notifies vendor and Cert-CN
15 Apr 2022 NCSC notifies Cert.cn
10 May 2022 NCSC involves the Dutch embassy in China.
09 Jun 2022 NCSC and China Cert in contact. The case file has been given to China Cert
17 Jun 2022 DIVD contacts our office neighbor, the Chinese consulate in The Hague. We are given an (unnamed) liaison at China Cert
02 Jul 2022 Account is closed and GitHub repo removed
02 Jul 2022 Case closed
03 Jul 2022 NCSC reports that the Dutch ambassador has sent a formal letter to China Cert who confirmed receipt of the data
gantt title DIVD-2022-00009 - SolarMan backend administrator account/password dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00009 - SolarMan backend administrator account/password (146 days) :2022-02-06, 2022-07-02 section Events Password(s) committed to GitHub repository : milestone, 2019-08-05, 0d Password exposed and service vulnerable - 1st time (628 days) : 2019-08-05, 2021-04-24 Célistine Oosting, tweets that Omnik converter is now uploading data to China (https://twitter.com/TheRealProcyon/status/1383154764213538816) : milestone, 2021-04-16, 0d Jelle finds working password for SolarMan Super Admin account in Github repo (https://twitter.com/SchizoDuckie/status/1383365466702237703) : milestone, 2021-04-17, 0d Vendor informed : milestone, 2021-04-17, 0d Password changed : milestone, 2021-04-24, 0d Jelle discovers that password was changed back to password in GitHub repo : milestone, 2022-02-03, 0d Password exposed and service vulnerable - 1st time (149 days) : 2022-02-03, 2022-07-02 Case opened : milestone, 2022-02-06, 0d Vendor notified : milestone, 2022-02-06, 0d DIVD involves the Dutch National Cyber Security Center (NCSC) : milestone, 2022-02-07, 0d NCSC notifies vendor and Cert-CN : milestone, 2022-02-20, 0d NCSC notifies Cert.cn : milestone, 2022-04-15, 0d NCSC involves the Dutch embassy in China. : milestone, 2022-05-10, 0d NCSC and China Cert in contact. The case file has been given to China Cert : milestone, 2022-06-09, 0d DIVD contacts our office neighbor, the Chinese consulate in The Hague. We are given an (unnamed) liaison at China Cert : milestone, 2022-06-17, 0d Account is closed and GitHub repo removed : milestone, 2022-07-02, 0d Case closed : milestone, 2022-07-02, 0d NCSC reports that the Dutch ambassador has sent a formal letter to China Cert who confirmed receipt of the data : milestone, 2022-07-03, 0d

More information