Triggered by a
tweet from Célistine Oosting, Jelle Ursem decides to look for SolarMan credits and
finds a (now removed)
GitHub repository containing a username and password.
Turns out this is indeed the Super Admin account and working password. Since the account doesn’t have MFA Jelle was able to log in with the username and password.
This backend and the Super Administrator account give the ability to:
- See all data from all customers including:
- GPS coordinates
- Current and historical production data
- Current faults
- Clearing of faults
- Downloading firmware
- Uploading of firmware to devices
- Creation and deletion of customers
In the SolarMan platform, there are almost 1,000,000 plants (installations) with a total power of over 10GwP (actually generated). Most systems are located in China and Australia, but a significant number of 40k+ in The Netherlands.
In the second half of April 2021, SolarMan gets notified and changes the password. On 3 Feb 2022, Jelle reads
Jan van Kampen’s blogpost on Growatt and decides to check the password again. To his horror, the password has been changed back to the password in the GitHub repo.
On 4 Feb Jelle joins DIVD and on 6 Feb we opened this case.
Getting the account closed turned out to be hard. The first time the vendor responded promptly, but silently. In fact, neither we nor the NCSC-NL ever got any reply from them. NCSC-NL used the help of the Dutch Embassy in China and head of research Victor Gevers visited the Chinese Embassy in The Hague, all in an effort to get into contact. In the end, the password has been changed and the repository deleted. Just before this Cert China confirmed receipt of the report to NCSC-NL.
The net effect of deleting the repository and resetting the password is that the number of parties with the ability to abuse this access has been reduced from “everybody that was able to find the password on GitHub” to the vendor and whoever can control the vendor.
