Why would you want your system connected to the Interrnet.

Have you not learned if you do that, someone is going to mess with it. That is why you put it on the Internet, so someone can mess with it. You got what you asked for.

Yeah, that pretty much sounds like BS. But it depends on exactly how the inverters are connected to the internet and the type of exploit the hackers are looking to employ. In general, it's possible with enough time and effort to hack almost anything. But whether it's practical and worthwhile (and thus likely) is a completely different story.

Residential inverters which are connected to the internet, are likely connected in one of two main ways:

1) Cellular -- GSM / CDMA

2) Owner internet service (aka Comcast, FIOS, etc.) using Ethernet, Wifi, Zigbee, etc. and usually behind their router/firewall

The question is, do you want to hack a single device? Or hack them all?

Single Device:
Hacking a single device is not terribly useful unless you really hate your neighbor, etc. But this would involve having internet access on the same network as the inverter (connecting to the LAN side of the router -- wired, wireless, man-in-the-middle, zombie exploit on another connected device with LAN access) or hacking through the residential router / firewall to get to the network devices on the other side. Once you're on the same network as the inverter, you would need to access its network interface and potentially issue any commands it might support via its API or ssh/telnet terminal. Conceivably, this might be possible by being on the same cellular network tower as the device if you could figure out its cellular IP (for option 1 above) but I'm not sure what -- if any -- network security cellular operators put into place to prevent to device to device communications.

Hack them all
So given that what you really want to do is shutdown all or most of the inverters in one fell swoop, you'd need to think about hacking into a common central service that they all use and communicate with on a regular basis. For example, let's assume that inverter tech support can shutdown / program the firmware on all of the inverters remotely. In order to do this, inverter company has to have a server/cloud software solution which enables individual inverters to self report their IP addresses and/or process commands using a push or pull architecture. So what you would need to do is hack into this centralized software solution, get a list of all of the active inverters, and then either send them all the desired commands, or en-queue a shutdown or malicious command for them to fetch and process when they next report in. There may or may not be device level security implemented at this layer (by serial number, MAC address, API key, etc.) but these credentials are either the same on each model device (think default admin username and password on residential routers) OR they're all different, but they are stored in the database you've likely already hacked into or have the ability to execute commands against.

Another approach to hacking them all, would be a zombie PC or IoT exploit. This is an extension of the single device approach. A windows vulnerability would be a great example. If you wrote malicious software that infected millions of Windows PC's, the software could scan all of the MAC addresses on each of their local networks, look for the inverter make/model of interest, get the IP address, and then proceed to try and log into / hack / shutdown any inverters that the PC could see from its individual network vantage point. The infection and inverter discovery process would be haphazard and time consuming, but the execution of the "kill switch" could be coordinated from a central point.

this route seems most feasible. Still the whole story sounds like 'security' company self promotion at SMA's expense. The magazine published this BS simply for the lack of real news.

from what I can tell SMA inverters support https over LAN. I haven't checked their outbound traffic but it would be logical to assume they connect to their cloud service using https as well. My SMA inverters sit behind firewall with no inbound ports open. I disabled their WiFi interface as one of the first changes I made; they're connected to LAN over Ethernet. They are still capable of pulling and updating their firmware and pushing their production data to SMA portal.

Security
That's what the S in IoT (internet of things) stands for.

Hacks can happen to devices no matter if they are connected via wireless or a wire.

If an individual residential inverter is broken into through the Internet the worse that would probably happen is the inverter is shutdown unless someone uploads modified firmware that causes problems. Financially there is little or nothing to gain from hacking an inverter.

As others have said, article is not making any major revelations.

Um, there is a long history (in Internet lifespan) of hacking with little or no financial gain. Other than corproate espionage, almost all "hacking" had little financial motive to it until recent ransomware. "Because I could" has been reason enough for a long time. Now, with the American cultural changes recently Im not sure we are producing enough kids with both talent & motivation for our next generation to have the same circumstances for self satisfaction hacking, but perhaps for environmental or political will.

For fun let's imagine if Trump built a southern border wall out of solar panels that used SMA inverters and the power generated was used to propel red, white blue fireworks into the air that released CO2 into the atmosphere and spell Make America Great Again, we would quickly learn such a virus was feasible.

connected through wire are significantly harder to hack as you'd have somehow bypass firewall first. If you did that then you're already on the local network and we don't hear too many reports of that happening.

If I understood SMA docs correctly it is not configured just as WiFi client out of the box but it actually creates Access Point and advertises itself broadcasting SSID. I considered that to be too open to my liking. It was easy enough to turn off.

I did go through all of the CVE's assigned. All are level 3.0 and all are DoS type of attacks. All require the ability to send data to the device, which given that most are behind some sort of NAT - makes it harder - but not impossible if a hacker is able to get local access to some other compromised system on the same local network. Given that most users do not understand security of home internet routers, it is likely that those routers are themselves not patched or have default passwords which allows a dedicated hacker to get to the local network and thus able to perform the DoS attacks on the inverter. Also the author claims that given most inverters are installed by companies and those companies are themselves not savy in internet security - they are more likely than not to use the same password for multiple systems thus allowing password cracking to be viable way to get into the inverter and then they can do whatever the inverter allows once they have gotten past the NAT layer.

Viable risk.

not really- DoS would deny http responses from the inverter but not likely affect its main operation. Besides any of the attacks requires breaking through NAT firewall first and currently ISPs usually handle router setup so "the same password for everyone" is not realistic assumption. Users who are savvy enough to buy / configure their own routers are careful enough to come up with strong password. I still think that "security" company is just seeking publicity at SMA expense.

Yeah I dont know the total market share of the major broadband providers but in the metro areas, those residential gateways have come preconfigd with great passwords seemingly forever and they strongly discourage you from changng them. However, your wifi security key/password is a whole different story. The ones I have configured default to full network user once you're on their subnet, not just outgoing unless they have a guest profile setup. I doubt many folks, especially installers, recommend or are aware of segmenting a network, using NAT and firewalling defaulting outgoing only devices. And nowadays, unless it has changed, you can setup your own public wifi ap called xfinity or xfinitywifi and watch how many devices auto connect. What a door into the device, then the network.

But I agree with you, they saw an oppprtunity for exposure and they took it.

There are multiple issues here that are being combined.

- The actual vulnerability of the inverter. That is what the 14 CVE's document.
- How can those vulnerabilities be exploited by a dedicated hacker.
- Security companies want press for found vulnerabilities to promote their services.

For the CVE's - those are documented and meet the standards to assign a CVE. From my reading of the 14 reported, they can be put into 2 groups.

Group 1 is a collection of DoS type attacks that can be made to the devices by sending malicious crafted packets that exploit bugs in the firmware - resulting in crashing, locking up, invalid operation or rebooting of the device. That meets the criteria of a DoS attack. All of these require local access to the network the unit is connected to.

Group 2 is a collection of weak password attacks that have been found that allow password cracking to be viable. This includes lack of viable anti-password cracking in the device. Once a password is cracked, the authors found evidence that systems from the same installer follow password patterns that significantly make it easier to crack those passwords and they found use of default passwords - which is like having no password at all. This also requires access to the local system.

Those are viable vulnerabilities and all were assigned a security risk of 3.0 on the CVE rating schedule of 0-10. They have been reported to SMA and its SMA's responsibility to address them via their business model. How/when they do that is up to them.

Now we get into the far more complicated issue of how can those exploits be used by a dedicated attacker. Attacker needs local network access to take advantage of the vulnerability. Thus the goal for the attacker is to design an attack vector that results in local network access. Sophisticated networks admins (or users) that understand how to mitigate these attack vectors will make it significantly harder for a dedicated attacker to breach a network. In network security we approach the problem from this point of view - the attacker has significantly larger resources to attack, the defender has limited resources to defend. No system is 100% protected but you can make it economically unviable (time, network bandwidth, use of bot nets, etc) for the majority of attackers to waste time attacking a system. Thus as a defender we assign our resources based on the exposed risk. However, the attack vectors keep getting more complex and sophisticated so its a never ending game.

cebury makes a valid point that most (not all) residential router owners are not sophisticated network admins - most don't understand even the simple levels of network security - strong unique passwords, firewalls and subnetting, etc. Most residential users (not all) are not able to defend themselves so there is a higher level of risk of a residential system being compromised. As a simple example, most residential users do not have a managed switch (nor would they have a clue what to do with it) so they are not able to really lock down a single device. Many studies confirm that large number of bot-net's are compromised residential networks. To protect their own networks (typically bandwidth usage), ISP's are getting better at managing the router they commonly provide to the end user to make attack vectors harder to get past the NAT.

So for this vulnerability - what is the real risk? My guess is not high - its a lot of work to attack each residential user to try and get local access. But lets say it was a hostile nation state that wanted to disrupt the electrical grid - maybe to them it is worth it. Combined with commercial installations and if local access is able to be obtained on them it is not impossible that this could be exploited. IMO summary - viable vulnerability but not likely to be exploited on a large scale.

And finally - individuals and companies that find these exploits - they are driven to get as much press out of their work as possible - its what they do and they naturally over emphasise the risk - call it sensationalism. The more press - the more clients use their services or the greater reputation they get.

So in the above case, SMA knows about the exploits. Only they will decide when or if they will address them based on their business model, development schedule, available resources, etc. Negative press like the above article may encourage them to change priorities - or not.

Mike, I am stealing this. Too good.