Critical Vulnerabilities Found in Ningbo Deye's Solar Inverter System

TapTechNews August 10th news, security company Bitdefender released a report disclosing that there are serious vulnerabilities in the solar inverter system produced by Ningbo Deye (Deye) Company. Hackers can use these vulnerabilities to impact the stability of the regional power grid and even cause large-scale power outages or infrastructure overload explosion accidents.

It is known that the solar inverter systems produced by Ningbo Deye Company are sold in more than 190 countries around the world, covering up to 10 million power generation facilities, which can generate a total of 1.95 billion kilowatts of electricity, accounting for one-fifth of the global solar power generation total.

TapTechNews found out that the vulnerabilities discovered by Bitdefender are mainly related to improper management of multiple credentials (Tokens). Hackers can obtain the highest administrative rights of the inverter system through at least four ways and tamper with the configuration of the inverter. The specific vulnerabilities are as follows:

OAuth Authentication Vulnerability: The researchers found an API endpoint vulnerability related to OAuth authentication on the platform. Attackers can use this vulnerability to generate valid credentials for any user, thereby taking over the user account and tampering with the inverter's configuration.

Credential Reuse Vulnerability: The researchers found that the credentials signed by the company's cloud platform can also be directly used on the platform of another solar product company, Solarman. This means that attackers can use the same credential to fully access user accounts with the same ID. If users do not take appropriate isolation measures, this situation may lead to hackers using one credential to invade the platforms of two companies.

Excessive Information Exposure: Some API endpoints of the platform return too much enterprise organization information, which is easy to leak personal information such as email addresses and phone numbers. Hackers can use social engineering means to master the geographical location and power generation capacity of the solar power generation device.

Hardcoded Account: There is a hardcoded account with a specific password inside the equipment produced by Ningbo Deye. This account has the highest authority, but the password cannot be modified. Hackers can directly use the relevant password to access all devices with the highest authority.

Bitdefender said that the discovery of these vulnerabilities reveals the vulnerability of critical infrastructure in terms of network security, especially in scenarios that are easily overlooked such as solar power generation systems. To prevent potential hacker attacks, relevant manufacturers and users need to take timely measures to patch the vulnerabilities and strengthen security protection. At present, they have submitted the relevant vulnerabilities to Ningbo Deye Company, and Deye Company has also quickly taken measures to patch the vulnerabilities.