Security Vulnerabilities Found In Solar Panels
Thousands of Australian homes that use solar panels and connect back to the electricity grid could be targeted by hackers a Dutch researcher has said.
Willem Westerhof found 17 vulnerabilities in inverters, which convert electricity produced by the panels so it can be used on the grid.
He said internet-connected inverters could be targeted by hackers.
One manufacturer said that only “a small fraction” of its devices were affected.
After discovering vulnerabilities in devices produced by a range of manufacturers, Mr. Westerhof carried out a field test near Amsterdam on two inverters made by SMA.
He told the BBC the test showed it would be possible for an attacker to remotely control the devices and alter the flow of power.
Because energy equipment on the grid needs to balance supply with demand, overloading the system could result in a power cut.
“If an attacker does that on a large scale, that has serious consequences for the power grid stability,” said Mr. Westerhof.
Energy researcher Iain Staffell, at Imperial College London, told the BBC, “It’s certainly a risk to electricity supply and could stress grid operations.”
However, he did not believe it could cause blackouts and he pointed out that many inverters would have to be attacked at once for any significant effect to occur.
SMA responded by pointing out the limitations to such an attack:
only four of its models are affected by the vulnerabilities
users are advised to change default passwords when installing the devices, though this is not required
inverters not connected to the internet are safe
“The security of our devices has highest priority for SMA in all respects,” the company said in a statement.
“We already assessed the mentioned issues on a technical basis and [are working] intensively on the correction.”
It added that it would publish further responses to Mr Westerhof’s research in the coming days and that it was working on a report about the security of its products with the Dutch National Cyber Security Centre.
Mr Westerhof described the vulnerabilities at a security conference in the Netherlands.
Asking users to change passwords was a way of pushing liability away from the manufacturer, said cyber-security researcher Tom van de Wiele, at F-Secure.
“The vulnerabilities are real,” he said, though he agreed with SMA that not all inverters would be open to attack.