Disclosure of security vulnerability in Sungrow SH5k-20 Residential Hybrid Inverters - Public disclosure.

2020-03-03 update:


Sungrow have released a firmware update to mitigate the vulnerabilities described below. Please ensure your Solarinfo dongle is updated to at least version M_WIFI_RAK475_V25_V01_C. This will change the SSID and enable a password on the hotspot. If you don't want to wait for the automatic OTA update you can update your Solarinfo dongle manually via the iSolarHome app. Sungrow have released a video demonstrating the process here. A PDF of the instructions is available here.


On 2020-01-29 a representative from Sungrow Power Australia contacted me via telephone and we discussed the circumstances surrounding the disclosures. There were some misunderstandings about my motivations, but they were dealt with and the representative offered me the opportunity to test a firmware update to the Solarinfo dongle on my own system. I agreed and a few days later I received instructions. I performed the testing and submitted a report. On 2020-02-10 Sungrow provided me a cash award to the value of my Sungrow SH5k-20 inverter: AUD$1950. This award was a once-off payment and Sungrow do not currently operate a bug bounty program.

Note: This is a summarised version of the disclosures sent to Sungrow Australia on 2019-09-20 and 2019-09-22. Specific passwords and protocols have been removed.



The Sungrow SH5k-20 is a solar inverter installed as a part of a solar and battery system. It typically connects together solar panels, batteries, a house and the electricity grid and transfers power between them as required. Many of these units have been installed throughout Australia. These systems are also available in other parts of the world.



These systems are typically equipped with a Sungrow SolarInfo WiFi dongle to enable the smart features of the inverter. The system installer, in consultation with their customer, configures the dongle to connect to the customer’s private home WiFi network. With internet access the inverter can now transmit data to Sungrow’s monitoring system. Customers can log in via a web page or smartphone app to see the status of their system and historical data.



Example of the data available on the iSolarCloud smartphone app.

Consumers can also connect directly to their inverters by connecting to a WiFi Access Point (AP) that the dongle broadcasts with a distinctive name with the format “SG-###########”, where the hashes (#) represent the inverter’s serial number. No password is required to connect to this AP. Once connected, the iSolarCloud smartphone app can be used to provide a username and password to access the inverter statistics. Once logged in a consumer can monitor their solar storage system without an internet connection. The range on this access point is reported to be up to 150 meters in open air. It is at least 10 meters through walls. Consumers cannot set a password on this access point.

In a cursory survey of two residential suburbs of Brisbane, covering approximately 22km of street, 22 susceptible access points were discovered. These were found by running an access point discovery smartphone app while driving on public roads.

Packet loggers are a type of software that enable the capture of low level “packets” of data transmitted to or from a device over its network connections. Sensitive information like usernames and passwords can be extracted from this data. Well-designed security measures can protect this private information during transmission.

Vulnerability

The user-level credentials used to connect from the iSolarCloud smartphone app to the SolarInfo WiFi dongle are public information. It is possible to use a network packet capture tool, running on an unmodified Android smartphone, to record the data exchanged between the inverter and the smartphone during this connection process.

Contained within this information are numerous sensitive pieces of data, including:


 The inverter passwords used are short and do not differ between units. The network protocols used to configure the wifi connection and inverter settings are unencrypted, designed for use over closed industrial networks, not public WiFi connections.

Once an attacker has collected the elevated installer-level and hidden web interface passwords from one Sungrow SH5k-20 unit they may re-use that information in attacks against other units of the same model. This can be done in a few seconds from inside a car parked on the street outside a home equipped with one of these inverters.

Attack 1: WiFi password theft

An attacker can read a customer’s WiFi access credentials from the SolarInfo wifi dongle. They can then use this information to connect to the customer’s home WiFi network. This exposes networked equipment such as printers, cameras, baby monitors, TVs, intercoms, and other smart home devices to attack.

Attack 2: Battery damage

An attacker has access to battery settings intended for use by qualified service and installation personnel. These settings can be accessed via the installer-level login credentials in the iSolarCloud smartphone app, or via a direct connection to the inverter using an unencrypted industrial protocol. These settings include maximum battery voltage, temperature and discharge current. Intentional misconfiguration of these settings could lead to:

Some of the settings available in the inverter.

Attack 3: Man-in-the-middle

The inverter communicates to Sungrow’s internet servers using an unencrypted and unauthenticated Internet of Things (IoT) protocol. It would be possible for a hostile actor to imitate this server, or otherwise inject messages, and send arbitrary commands to the inverter.


Suggested Immediate steps

Users

Unscrew the two bolts attaching the Sungrow WiFi dongle from the bottom of your inverter with a phillips-head screwdriver. Pull the WiFi dongle straight down. Put a piece of tape over the port to keep out dust and insects. Do not connect an ethernet connection to this port. It may cause damage to the inverter or your network equipment. There is an ethernet connection inside the inverter housing, but it should only be connected by qualified personnel. Contact the installer of your solar storage system for the next steps.

Suppliers/Installers

Halt sale and installation of the Sungrow SolarInfo WiFi dongle. Notify previous customers of these vulnerabilities. Contact Sungrow Australia for further information on rectifying these cybersecurity issues.

Manufacturer

Notify all suppliers/installers of the vulnerabilities and issue a recall of affected hardware.

Employ industry-standard cybersecurity principals, such as:


Responsible disclosure

Details of the vulnerabilities disclosed in this document were provided to Sungrow Australia on 2019-09-20. Every effort was made to assist them in understanding the severity of these issues and the risks to which their customers were exposed. They did not commit to rectifying these issues.

Rev. 3


Email: [email protected]
Twitter: @solarcybersecurity
Reddit: solarcybersecurity