/ One of the devices Italian researcher Roberto Paleari says is vulnerable to a slew of serious hacks.
The US Department of Homeland Security is warning of critical vulnerabilities in a computerized control system that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses.
A slew of vulnerabilities in a variety of products, including the Sinapsi eSolar Light Photovoltaic System Monitor
(Microsoft translation here
) and the Schneider Electric Ezylog
Photovoltaic Management Server, allow unauthorized people to remotely log into the systems and execute commands, warned the DHS-affiliated Industrial Controls Systems Cyber Emergency Response Team in a recent alert
. Other vulnerable devices include the Gavazzi Eos-Box
and the Astrid Green Power Guardian
. Proof-of-concept code available online makes it easy to exploit some of the bugs.
The advisory is based on a report published last month
that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering. According to researchers Roberto Paleari and Ivan Speziale, the vulnerable management server is incorporated into a photovoltaic products from several manufacturers. Paleari told Ars the flaws were uncovered after Speziale purchased a Schneider Electric Ezylog device for his home that used firmware version number 2.0.2736_schel_2.2.6b.
Read 12 remaining paragraphs