A cybersecurity company based in the United States has published a report in which dozens of vulnerabilities were described, which were discovered in the products of some of the large solar inverter manufacturers worldwide. But there is good news.
For so many solar interrichers who are now connected to the Internet, the risks associated with mass transfer of systems by hackers as the “botnet” can be widespread by inverters.
The Californian Forencout Technologies Inc. has provided asset Intelligence and Control services for more than 20 years.
“The collective effects of solar systems in residential areas on the reliability of the networks are too significant to ignore – hospitals could lose access to critical devices, families could do without heat in winter or alternating current, and companies could be closed,” said the CEO of Forscout, Barry Mainz. “Threat players are increasingly aiming at critical infrastructure and make it important to take them seriously and to secure solar inverter systems before weaknesses lead to disturbing disorders in the real world.”
In its analysis, the company discovered 46 new vulnerabilities in SungRow, Growatt and SMA products with which attackers would have endangered inverter settings or privacy of the user or would even take over other intelligent devices in one house. The good news is that all of these security deficiencies were first announced by the forum scout to the providers at the end of last year and have been addressed since then.
SMA Sunnyportal vulnerability
Only a new susceptibility to security in connection with the grandson of Solar inverter producers SMA was associated.
The researchers found that attackers could upload files that could be carried out by the web server at Sunnyportal.com, the SMA platform for online monitoring. According to SMA, Sunnyportal supports more than 900,000 registered systems worldwide. In over 200 countries more than 40 GW solar power system capacity.
On the portal website, visitors can access a section in which publicly available solar power system profiles are listed -and there are thousands. During the tests, the forum scout noticed that some system properties could be changed, including the uploading of images. Due to the lack of file extension tests in the back end, a bit of an attacker could upload an attacker instead of an image and carry out this code remote via a browser requirement.
SMA resolved the problem on December 19, 2024 and then asked Forenscout to check her work.
Sun security problems
Sonnenfrau has made 15 defects. Among them it was possible to take control of the sun inheritances by chaining two weak points. Again the company was cooperative.
“Sungrow had particularly meaningful discussions about how they can improve their security,” says Forencout.
It is great to see that Sungrow has covered a long way into his reaction to the information of third parties through security problems. It was a different story five years ago.
Note: Sungrow Our was recommended at the end of February to update the Isolcoud Android app via the official App Store to the latest version.
Growatt error
The remaining 30 safety errors were connected to Growatt products.
“Growatt has recognized and resolved the problems, which should not require any changes to the inverters, but the process took much longer and was much less collaborative.”
Forscout said Growatt informed about the mistakes on November 27, 2024 and then contacted the company several times to get updates and offer help. Some problems were finally fixed on February 27, 2025 and the remaining on March 13.
The Forencout also explained that many similar susceptibility from Growatt had been reported by another security researcher a few years earlier, who claimed that he had not received an answer from Growatt. The company could not confirm whether Growatt dealt with these problems or whether some of the “new” mistakes were the same problems that were never fixed.
Manufacturer say goodbye pattern – somehow
A limited analysis was also carried out with three other manufacturers. Goodwe, Huawei and Solis. In the assigned time, which was dedicated to every provider, the forum scout found no significant weaknesses.
“This does not mean that these providers are more or less secure than the others, since we had no access to test accounts for some or decided not to spend any more time for the analysis,” says the company.
Forescout’s report, in which the susceptible discovered and realistic power grid attack scenarios are more detailed, can be viewed here. You can also pick up some tips for the safety of Solar Change Versed – During this article in 2018, the basics still apply.
Comments are closed.