Believe it or not, your Solar Panel can be hacked as well — Just like this man who hacked his own solar panel
Do you know how you can verify if your home or property is fully secure? Well, in Fred Bret-Mounet’s opinion, the only way is to try to violate the security measures yourself. And he did just that to prove his point.
Solar arrays are provided by Tigo Energy. It is a device that lets users control or monitor panels via the internet. Like every other house in California, Bret-Mounet also installed a solar array on his home but he was immensely concerned about the level of security that it provided to his family. So, he decided to check it. To his surprise, there were certain vulnerabilities in the system, with which he could easily spy on the home and even hack the power supply of a thousand homes at least. This was possible due to the open Wi-Fi access point that was linked with the MMU (Management Unit) of the solar array.
The fact that the device utilizes an open Wi-Fi access point is quite disturbing because if someone can get the login password of web account from where the solar panels could be monitored then it becomes an easy job to spy on homes.
But this was just the beginning!
In October last year, he discovered some rather serious issues. He identified that his Tigo was being served via an unencrypted HTTP connection, which was secured with an extremely easy-to-guess username and password namely “admin” and “support.” To him, it was kind of a default login and he could easily manipulate the solar arrays of other residents with the same login information.
But he didn’t attempt to damage his solar array but instead searched on Shodan for other vulnerable arrays on the internet and was successful in finding other Tigo systems. He then prepared to act like a malicious attacker and using the login credentials he looked for other weaknesses of the system and gained root-level access to the controller of his solar panel. This meant that he could do just about anything to his panels.
Then he identified that all Tigo devices have the same VPN connection.
“If I’d gone through that tunnel I would have reached any of them. I could have shut down a small-to-medium electricity generation facility in the aggregate, but my personal belief is that I could have used those as Trojan horses to attack targets that happened to have that type of solar panel,” Bret-Mounet told Forbes.
Fred Bret-Mounet presenting his findings in Def Con
— Kevin Peterson (@secureaccess) August 6, 2016
When he contacted Tigo, the company responded quickly and the issues were supposedly being resolved in December last year. But then he was informed that the company had sold around 1000 development devices to buyers, one of whom was Bret-Mounet. Bret-Mounet also verified the company’s claim by checking for vulnerable devices across the city and couldn’t find any new ones. He was then delivered a production model by Tigo. But this poses an important question—how many of such devices are out there that are vulnerable to spying and hacking?