Solar Power Installations Worldwide Open to Cloud API Bugs

The weaknesses gave attackers an avenue to take over millions of photovoltaic devices connected to Solarman and Deyes cloud-hosted management systems.

A recent analysis of two widely used technologies in residential and commercial solar power installations revealed multiple vulnerabilities in their cloud APIs, which, if exploited, would potentially have allowed an attacker to take down parts of any connected power grid.
Researchers at Bitdefender discovered the issues on Solarman, one of the worlds largest platforms for managing solar power systems, and on Deye Cloud for managing inverters from Chinas Ningbo Deye Inverter Technology. Both have since addressed the issues that Bitdefender reported to them.
An
inverter is a device that coverts
the direct current (DC) electricity produced by solar panels into alternating current (AC) electricity, the standard form used in homes and the electrical grid. They can also monitor and report on the solar systems performance.
In grid-tied solar power systems, the inverter synchronizes the phase and frequency of the AC output with the grid,
Bitdefender said in a report
. The goal is to ensure that solar-generated energy is compatible with the grid and can be safely exported to it. Because differences in phase and voltage can
crash the grid
, power distributors and governments see any deliberate attempts to bypass these grid safety measures as a threat to national security, Bitdefender noted.
Solarmans platform allows residential and commercial users of Deye and other inverter brands to remotely monitor the devices in real-time. Multiple vendors of other photovoltaic (PV) equipment also use the Solarman platform to connect users with their respective products, over the cloud. Among other things, Solarman offers a data logger that gathers metrics such as the total power output from a solar installation, as well as its voltage and current.
This management feature improves system performance, enhances reliability, and supports informed decision-making, Bitdefender noted. Some 2.5 million photovoltaic installations are currently connected to the Solarman platform, from more than 190 countries. Together they produce over 195 gigawatts of power in total — or roughly 20% of total solar electric production globally.
The issue we discovered lies in the cloud APIs that connect the hardware with the user, both on Solarmans platform and on Deye Cloud, says Bogdan Botezatu, director of threat Research and reporting at Bitdefender. These APIs have vulnerable endpoints that allow an unauthorized third party to change settings or otherwise control the inverters and data loggers via the vulnerable Solarman and Deye platforms, he says.
Bitdefender, for instance, found that the Solarman platforms /oauth2-s/oauth/token API endpoint would let an attacker generate authorization tokens for any regular or business accounts on the platform. This means that a malicious user could iterate through all accounts, take over any of them and modify inverter parameters or change how the inverter interacts with the grid, Bitdefender said in its report. The security vendor also found Solarmans API endpoints to be exposing an excessive amount of information — including personally identifiable information — about organizations and individuals on the platform. The extensive data exposure via these API endpoints would have allowed attackers to obtain the GPS coordinates from solar installations and their real-time production capability, Bitdefender said.
A worst-case scenario would be to force too much power into the network to
destabilize the grids normal working parameters
, Botezatu notes. This, in turn, can cascade into potential disruptions of service or partial loss of power on the affected grid segments.
Given that solar production facilities connected to the Solarman cloud are spread across the world, isolating the misbehaving devices would not have been a feasible mitigation, he says.
Meanwhile. up to at least the beginning of this year, China-based Ningbo Deye Inverter Technology Co. used Solarmans platform to connect customers with its inverter products. But more recently, they appear to have begun using their own datacenter and platform for managing their customers, Bitdefender said. The security vendors analysis of Deyes platform showed it to use a hardcoded account and a basic password (123456) to access devices. This account can obtain an authorization token that grants access to any device, exposing sensitive information such as software versions, Wi-Fi credentials, and more, Bitdefender said. As with the Solarman platform, API endpoints on Deye Cloud too returned excessive private information. Bitdefenders analysis showed the platforms OAuth token API endpoint generating a valid, signed but faulty token.
The result of a successful attack [via such weaknesses] would be either collection of troves of personally identifiable information or tampering with the inverter settings, Botezatu says. Beyond misconfiguring the grid injection parameters, an attacker could instruct some inverter setups to draw power from the grid to charge batteries during peak demand times, thus causing financial impact as well.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Solar Power Installations Worldwide Open to Cloud API Bugs