Researchers who go looking for devices exposed to the Internet report “tens of thousands” of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting.
No fewer than 134,000 products from an assortment of vendors were found to be exposed, though as Bleeping Computer notes, this does not necessarily mean they're all vulnerable right now.
However, new vulnerabilities are discovered all the time and anything that's attached to the Internet when a vulnerability is discovered represents a serious risk (and at least some of the products on display have been impacted by vulnerabilities in the past.) Devices left exposed online can lead to all manner of other issues too. Whether people poking around to get an idea of how your systems work, or directly tampering, it’s almost never good.
While many of the currently discovered devices may not be vulnerable to a remote takeover, there may be enough information to hand to figure out some of the workings of the systems in question.
Indeed, the research highlights that around 7,000 devices belonging to one particular brand are in the list. A separate report linked by Bleeping Computer found 425 examples of said device making use of a firmware version known to be vulnerable to attack. As per said report, which cleverly makes use of a copyright string on the product’s landing page to work out which versions are vulnerable:
It turns out that less than one third of the internet-facing SolarView series systems are patched against CVE-2022-29303.
This, in addition to mention of other issues affecting this brand of device like being able to upload PHP web shells (allowing for remote access), does not make for great reading. Especially when we consider that this is just one product, while the products left exposed include:
Solar-Log, Danfoss Solar Web Server, SolarView Contec, SMA Sunny Webbox, SMA Cluster Controller, SMA Power Reducer Box, Kaco New Energy & Web, Fronis Datamanager, Saj Solar Inverter, and ABB Solar Inverter Web GUI.
Exposed devices can end up being a pretty serious issue. Even in cases where the device isn’t exposed online, things can still go awry. A few years back, Australia’s early warning network was compromised (most likely by a targeted phishing attack) and messages galore were fired out by SMS, email, and phone announcing that the service had been hacked.
Road signs and other forms of public communication are often found wanting in the security stakes. It’s such a problem that it’s not unusual to see the Department of Homeland Security issuing warnings about the need to update Emergency Warning Systems. Last August, FEMA was similarly banging the drum for the swift application of software updates.
If you’re responsible for deploying any of the above systems, it may well be beyond time to check what (if anything) is exposed online and whether or not you need to start patching.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.