DIVD-2022-00009 - SolarMan backend administrator account/password
Our reference | DIVD-2022-00009 |
Case lead | Frank Breedijk |
Researcher(s) | |
CVE(s) |
|
Products |
|
Versions |
|
Recommendation | Consider the risks when using these products |
Patch status | n/a |
Workaround | n/a |
Status | Closed |
Last modified | 23 Jul 2022 21:28 |
Summary
Triggered by a tweet from Célistine Oosting, Jelle Ursem decides to look for SolarMan credits and finds a (now removed) GitHub repository containing a username and password.
Turns out this is indeed the Super Admin account and working password. Since the account doesn’t have MFA Jelle was able to log in with the username and password.
This backend and the Super Administrator account give the ability to:
- See all data from all customers including:
- GPS coordinates
- Current and historical production data
- Current faults
- Clearing of faults
- Downloading firmware
- Uploading of firmware to devices
- Creation and deletion of customers
In the SolarMan platform, there are almost 1,000,000 plants (installations) with a total power of over 10GwP (actually generated). Most systems are located in China and Australia, but a significant number of 40k+ in The Netherlands.
In the second half of April 2021, SolarMan gets notified and changes the password. On 3 Feb 2022, Jelle reads Jan van Kampen’s blogpost on Growatt and decides to check the password again. To his horror, the password has been changed back to the password in the GitHub repo.
On 4 Feb Jelle joins DIVD and on 6 Feb we opened this case.
Getting the account closed turned out to be hard. The first time the vendor responded promptly, but silently. In fact, neither we nor the NCSC-NL ever got any reply from them. NCSC-NL used the help of the Dutch Embassy in China and head of research Victor Gevers visited the Chinese Embassy in The Hague, all in an effort to get into contact. In the end, the password has been changed and the repository deleted. Just before this Cert China confirmed receipt of the report to NCSC-NL.
The net effect of deleting the repository and resetting the password is that the number of parties with the ability to abuse this access has been reduced from “everybody that was able to find the password on GitHub” to the vendor and whoever can control the vendor.
What you can do
Not much. End users do not have any control over these events.
However, when installing smart devices please consider that:
- Your data is often uploaded to the vendor
- The vendor may change
- The vendor has ultimate control over the device
- When the vendor gets compromised, your device can be compromised as well
What we are doing
This case has been closed. We are not taking any further action.
We will be presenting the details of this case at the MCH 2022, hack camp on Sunday 24 July at 12:40
Timeline
Date | Description |
---|---|
05 Aug 2019 | Password(s) committed to GitHub repository |
05 Aug 2019- 24 Apr 2021 |
Password exposed and service vulnerable - 1st time |
16 Apr 2021 | Célistine Oosting, tweets that Omnik converter is now uploading data to China (https://twitter.com/TheRealProcyon/status/1383154764213538816) |
17 Apr 2021 | Jelle finds working password for SolarMan Super Admin account in Github repo (https://twitter.com/SchizoDuckie/status/1383365466702237703) |
17 Apr 2021 | Vendor informed |
24 Apr 2021 | Password changed |
03 Feb 2022 | Jelle discovers that password was changed back to password in GitHub repo |
03 Feb 2022- 02 Jul 2022 |
Password exposed and service vulnerable - 1st time |
06 Feb 2022 | Case opened |
06 Feb 2022 | Vendor notified |
07 Feb 2022 | DIVD involves the Dutch National Cyber Security Center (NCSC) |
20 Feb 2022 | NCSC notifies vendor and Cert-CN |
15 Apr 2022 | NCSC notifies Cert.cn |
10 May 2022 | NCSC involves the Dutch embassy in China. |
09 Jun 2022 | NCSC and China Cert in contact. The case file has been given to China Cert |
17 Jun 2022 | DIVD contacts our office neighbor, the Chinese consulate in The Hague. We are given an (unnamed) liaison at China Cert |
02 Jul 2022 | Account is closed and GitHub repo removed |
02 Jul 2022 | Case closed |
03 Jul 2022 | NCSC reports that the Dutch ambassador has sent a formal letter to China Cert who confirmed receipt of the data |
More information
- Tweet that triggered the investigation by Célistine Oosting
- Tweet in which Jelle makes his find public for the first time
- Now deleted GitHub repository
- Jan van Kampen’s blogpost on Growatt
- News article about Dutch government blocking a Chinese party from the Dutch grid