Solarman backend administrator account/password leaked

Gandalf_The_Grey

Level 66
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
5,568
Triggered by a tweet from Célistine Oosting, Jelle Ursem decides to look for SolarMan credits and finds a (now removed) GitHub repository containing a username and password.

Turns out this is indeed the Super Admin account and working password. Since the account doesn’t have MFA Jelle was able to log in with the username and password.

This backend and the Super Administrator account give the ability to:
  • See all data from all customers including:
    • GPS coordinates
    • Current and historical production data
    • Current faults
  • Clearing of faults
  • Downloading firmware
  • Uploading of firmware to devices
  • Creation and deletion of customers
In the SolarMan platform, there are almost 1,000,000 plants (installations) with a total power of over 10GwP (actually generated). Most systems are located in China and Australia, but a significant number of 40k+ in The Netherlands.

In the second half of April 2021, SolarMan gets notified and changes the password. On 3 Feb 2022, Jelle reads Jan van Kampen’s blogpost on Growatt and decides to check the password again. To his horror, the password has been changed back to the password in the GitHub repo.

On 4 Feb Jelle joins DIVD and on 6 Feb we opened this case.

Getting the account closed turned out to be hard. The first time the vendor responded promptly, but silently. In fact, neither we nor the NCSC-NL ever got any reply from them. NCSC-NL used the help of the Dutch Embassy in China and head of research Victor Gevers visited the Chinese Embassy in The Hague, all in an effort to get into contact. In the end, the password has been changed and the repository deleted. Just before this Cert China confirmed receipt of the report to NCSC-NL.

The net effect of deleting the repository and resetting the password is that the number of parties with the ability to abuse this access has been reduced from “everybody that was able to find the password on GitHub” to the vendor and whoever can control the vendor.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top