PDA

View Full Version : Solar panel control systems vulnerable to hacks, feds warn


News
10-15-12, 02:30 PM
http://cdn.arstechnica.net/wp-content/uploads/2012/10/ezylog-640x361.jpg (http://cdn.arstechnica.net/wp-content/uploads/2012/10/ezylog.jpg) Enlarge (http://cdn.arstechnica.net/wp-content/uploads/2012/10/ezylog.jpg) / One of the devices Italian researcher Roberto Paleari says is vulnerable to a slew of serious hacks.
Schneider Electric (http://www.schneider-electric.it/documents/prodotti-e-servizi/Fotovoltaico/Monitoraggio/Specifica-Tecnica-Ezylog-Rev_A_2011.pdf)


The US Department of Homeland Security is warning of critical vulnerabilities in a computerized control system that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses.

A slew of vulnerabilities in a variety of products, including the Sinapsi eSolar Light Photovoltaic System Monitor (http://www.sinapsitech.it/default.asp?active_page_id=78) (Microsoft translation here (http://www.microsofttranslator.com/bv.aspx?ref=SERP&br=ro&mkt=en-US&dl=en&lp=IT_EN&a=http%3a%2f%2fwww.sinapsitech.it%2fdefault.asp%3f active_page_id%3d106)) and the Schneider Electric Ezylog (http://www.schneider-electric.it/documents/prodotti-e-servizi/Fotovoltaico/Monitoraggio/Specifica-Tecnica-Ezylog-Rev_A_2011.pdf) Photovoltaic Management Server, allow unauthorized people to remotely log into the systems and execute commands, warned the DHS-affiliated Industrial Controls Systems Cyber Emergency Response Team in a recent alert (https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-284-01.pdf). Other vulnerable devices include the Gavazzi Eos-Box (http://www.gavazzi-automation.com/download/press/PR_Eos-Box_0909.pdf) and the Astrid Green Power Guardian (http://www.astridups.it/en/renewable-energy/). Proof-of-concept code available online makes it easy to exploit some of the bugs.

The advisory is based on a report published last month (http://www.exploit-db.com/exploits/21273/) that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering. According to researchers Roberto Paleari and Ivan Speziale, the vulnerable management server is incorporated into a photovoltaic products from several manufacturers. Paleari told Ars the flaws were uncovered after Speziale purchased a Schneider Electric Ezylog device for his home that used firmware version number 2.0.2736_schel_2.2.6b.

Read 12 remaining paragraphs (http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/) | Comments (http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/?comments=1#comments-bar)



More... (http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/)