Electryone: In The Land With No Sun - Vangelis Stykas

uh hello everyone first of all I want to say that this is not exactly the talk that I was planning to do I had to change it uh yesterday and the day before yesterday after a lot of recommendations from low people and from eff so sorry it's going to be a little bit shorter uh it's electrione that's a Greek word Tom did a really good try in pronouncing it in the land with no sun you're gonna need a lot of this question you're going to see a lot of things that are really strange and really bad but yeah back by a disclosure is this kind of things uh that's me I'm Miguel stickers I'm currently a CTO at a regulation Tech startup I'm also an independent security researcher my PhD research interest I have to at some time accept that I'm not going to be a PhD I'm not going to be a doctorate I I'm a philp it's the student it's mainly API for iot devices and web application security you can find me on Space current site as if stickers you can also find me as Evie stickers on Mastodon and today's talk is about photovoltaic panels I'm going to to quote what the solar PV panel is it consists of many cells made from layers of semiconducting blah blah blah it's uh one glass panel that creates uh energy from the Sun it is made up of several panels you can see that usually it is on rooftops we can see the electricity is used for household that is AC blah blah blah the sun is the DC we need AC this electricity can be used throughout your homework exported to the grid we are having photovoltaic inverters the inverter is the power inverter which converts DC to AC it is a critical balance of system it's as you can see in here with a lot of strains graphs we get the sun we create the we get the DC we created a to AC and we either save it store it or throw it to the grid as we're going to see later how do they work I literally have no idea if you're here to for me to explain to you how solar works it has a lot of math it has a lot of strange things physicists are going to talk about you about them I'm an API guy I'm gonna see them from a totally different point of view so if you came here for that sorry you can leave I'm not going to explain how it works how do we where do we install them it's the home installation which you see on the rooftops it's on roof installation or roof integrated installation and it's usually from 1 to 10 kilowatts this is usually directly connected to the house so that it can be off-grid or throws the power to the grid and the plan installation which is from 200 kilowatts to 20 megawatts as we can see a lot of things usually in the states and in Vegas where their plan is to maximize the profit and minimize the cost we can see why we took a look I took a look at there this is the solar market share right now it is on 150 billion uh US Dollars and from 2030 we are looking on 250 billion uh markets here there is the European green deal I know you don't really care because brexiton thinks but they bring a lot of money so the plan is not at the mission of greenhouse gases by 2050 uh do socialistic things economic growth decoupled from resource cues no person and a place left behind and the great thing that says in here is our Lifeline out of the one-third of 1.8 trillion Euros investment from the Next Generation EU recovery plan and the EU seven year budget will finance the European green deal if you can do the math that's a lot of money so what we can say in solar Market there are 10 big players there are mainly Chinese companies a lot of white label Cloud providers that provides in our implementations we're going to look at some of them then huge number that you saw before had the generated a lot for us to Market symptoms to cut the Green Wave and the green deal and there are over 20 million car installations this is the plan from the green deal right now as you can see last year no 2021 we are 2023 of the year before the last year was the first time that solar power has been been more than one terafat per day and the plan says that it's going to be going to be more than seven terafats per day that's a lot of traffic uh some more info as you can see in here with the bread uh you can see the power generation and from here the per capita energy consumption the darker the red the more uh rough the more power it generates and in consumption it means an attack to those football type will greatly affect those countries so the solar Market is as I said generating more than a terabyte globally the solar power is cheaper to produce it has low maintenance but a lot of a lot of money to actually install it it can run unsupervised and does this expensive to store it is easier to just throw it in the grid really they are trying to throw things in the grid while they're iot connected so if you find a way to get a hold of the photovoltaic as you can see in horror scenario this is where I based the idea of my research you can see it as you can see horror scenario.com they did a lot of good math a lot of traffic a lot of things that I really didn't understand because I'm not a physicist I'm not a photovoltaic engineer or anything else so I'm going to quote them the power grid needs to maintain a constant balance between supply of power and Power blah blah blah blah more blah it means that it's a really really really uh balanced system and if you take something out of it they will need to rebalance it or a lot of seat will hit the fan so the other thing is that the power grids in Europe are interconnected so if you somehow I don't know take take down the grid of the UK why do I have heck not or Germany it will also uh cause a lot of trouble in nearby countries and if you also cause a trouble in nearby countries it means that it will cause trouble throughout Europe that's why it's called interconnected inter-winded power grids this is the theoretical proof of how the horror scenario is going to take place and it's based upon a solar eclipse that happened in Germany in 2025 you can see the steeper decrease in solar power supply and the Steep increase after the solar eclipse has happened unfortunately we can use a mathematical model to estimate the amount of PV energy in a power grid but we cannot be so precise so the German power grid at that time this season 2015 this has changed cover 35 to 50 percent of its power demand using only PV installations this means this this number has changed now so it means that if you can somehow control the PV installations you can cut 35 to 50 percent of the power demand of Germany and as I tell as I said before this also means that you are going to uh involve France UK and everyone else because we have a constant power exchange between countries so what was the horror scenario the whole scenario says that we uh the German guy who has a really strange name that I cannot pronounce but is really cool he has several CVS on one inverter which is SMA she changed them to get remote mod execution he got remote command execution on those devices he interfered the devices to destabilize the grid what is electronic whoever knows me knows that I'm just doing API in Cloud I'm not doing uh stuff like Hardware or anything else so unfortunately it goes Cloud there's no CVS for me but because Cloud there's also I don't need any physical access I can just delete everything from my home in Greece you can break and mass every device that you can firmware update it is inverted agnostic because as we said in the slide number four they are white labeling stuff so you can force update anything and we're looking at more than 500 Giga fat what's my methanol methodology burps Hood download the application if there is an application they compile it download it from APK lab IO I have a small droplet on digitalocean uh I'm certain stuff in Sudan I hope and I'm just doing really basic web application pen testing really really uh basic stuff how I do it usually they have a demo account if they don't have a demo account I try to register a new account I find the obvious web issues I try to find a way to control devices by exploiting those obvious issues get platform admin try to Firmware update stuff and then I'm not profiting unfortunately I'm just struggling for a response for all the vendors as you're going to see most of the vendors didn't even care to respond uh this is the five uh platforms that I took a look at and and successfully exploited solar man I got platform admin but there was no firmware update Samsung I got platform admin and firmware update which means that I could potentially break everything because as you might think there is no signing in the firmware there's just firmware update you send them and they update it the other result is me getting all those uh ads throughout my phone throughout my web browsers like it's like I'm a freaking PV installations like all my home is just this advertisements nowadays disclosure and that's a really painful story uh more than 90 days have passed from every uh disclosure that I tried only one vendor responded deducted on the disclosure in a really good manner uh the disclosure had full technical information I tried really really hard to get any reaction from them I sent multiple emails on any email that I could find I reached out from Twitter I even called on several Chinese phones that they were most of them didn't speak English the people who speak English didn't understand what the security issue is so yeah I don't know what I should do anymore the disclosure response is a solar man who is an A-Plus they responded they fixed in five days they checked out we're gonna see what else they did something they had no response for five months solex gave me another response and responded on my Twitter DMS that's a win for me after five months uh robot asked me where I'm from after six months and intercom didn't respond at all so I had 30 more slides that were explaining what were the issues the biggest quiz that I had the bigger discussion yesterday and the day before yesterday with a couple of people who understand low way better than me and told me that I shouldn't on the current uh situation Global situation and how we are dropped zero days that could cause um I don't know power outages in countries with a with a work right now happening so unfortunately you're not going to have zero days for me [Music] what's the plan the plan is uh have their providers act on the reported vulnerabilities fix them prove that you can control gigabytes of power effectively destabilizing Country power grids we are not going to prove them but we're going to see that we could prove it we could help avoiding Global outage and make World a safer place and Global Peace and all these things I guess what have I found in security director object references remote command execution broadcast education broken authorization more Riders and no authentication at all uh what did I found lots of personal data for a lot of people throughout the globe access to administrative accounts and panels ways to manipulate and brick panels and access to internal networks where the panels weren't installed that's what it's a provider claims to generate per day I would take that with a pinch of salt because I think they're overestimating uh if you sum it up that's more or less 700 gigawatts that's 70 percent of the global solar generation I would say that we are closer to 450 000 gigabytes it's way smaller but it's still a cool number if you ask me and I know I missed some vendors I did take a look at them I didn't find the vulnerability or the novice vulnerability because I was not doing a full pen test I was just looking at the low hanging fruits as always so the first uh provider is solar man you can see it fair white label a pretty huge operator it's the only vulnerability that I'm going to be specific they had the night or on the user ad functionality you could add a user with any privilege on any group groups and organizations were consecutive editors so you could just add a user anywhere and take a look at it what was the action full functionality of the application if there was a potential gdpr violation with a leak of user and Company data I had all the info on plans in power generated all the info of the people so yeah not that bad if you ask me uh they responded in two days they fixed it in five days they chased for a verification they then tried to ask me if I had more info about other vendors which I told them look at the kumri conference I'm not going to expose anyone else but they were cool they did this like a plus for them the vulnerables are going to happen so this is something they have I have found five different companies that are white label on them they have Riders everywhere everything is an editor you can plus one things you can do whatever you want this is what you can do so they have a full functionality of the application potential gdpr inform plants and power generation you can interact with the plants you can update the firmware on both the Gateway and the inverter you can back door it so yet you can access the network and you can also have the platform admin in here in here let's see you can see the Gateway firmware and the inverter firmware of all the products that they have and in here you can see the notification on who looked in where and what operation they wanted to do another disclosure I really tried really hard for them because they're 200 gigabytes of power but they really never responded at any point on my even on my phone so I didn't have anyone who was speaking English third one is robot it is also known as G inverter it's the biggest of all at least to my understanding because I have more or less five or six million installations and that's how I got access to there you can see that there is a serial number from a Google search I just got that serial number and registered it so that I could have a demo account and then I understood that I didn't need to do that because there was no authentication so their application was just accepting then logging in and then you could just say give me that serial number without any authentication and yeah you could get whatever you want uh from the bottom-up platform admin back to the network firmware update on Gateway and inverter 2 interact with the plans I'm not even going to care about the gdpr anymore because yeah um yeah that was one of their emails due to the spring festive holidays we can reply in time unfortunately my first email was on October so that was on January 26th so they had enough time I guess and the other and the other response that I get was would you please advise which country you are from which makes no sense like I'm from Greece but why would you care where I'm from but after that I got no answer so again disclosure is no response solax is a strange one so they are probably the biggest of all that don't white label so you can find a lot of solax power inverters they didn't have an idea but the only one that I had was really really critical so they saved the issue for the one that really mattered platform admin back to Google Network firmware update yada yada yada you get the point everything is really bad you can see the customers in here you can see that you can firmware update you can see that they're online their username their password their site name mom admin so you you get what you can see uh another nice one that's the auto generated email they're extremely busy at the moment I'm gonna say that they were extremely busy throughout the five months that I was trying to disclose it they were responding within 10 working days I don't know if they work once per month they had eight months so they should respond at some time and they also provided with a really good YouTube video that could tell me how to reconnect my solex inverter yeah that didn't work then I I literally hustled them on Twitter telling them can you please answer please please please show this like do you have problems with emails to us hello yes which mails has you been sending and receiving a reply let me check that's on February 2nd he had nine days so I guess he should have checked nothing from them too last one he's in the con he's a really really nice inverter this is one that my mother has on her roof unfortunately uh uh they were missing the basic concept of authorization all like these are consecutive integers you can access anything anywhere anytime again I think you believe that I'm just copy pasting stuff but I'm not I have verified that I had access on all those platform back door firmware update interact with the plans yeah it's bad so as you can see in here this is my mom's account I'm not with my mom's account logged in so you can see the system they also have a really nice feature which is called command line you have literally command line from that devices location device ID full stop you you have access to the network I I tried uh LinkedIn had so I added on LinkedIn everyone that I could find their answer was we don't hire it's like I don't want to work for you I want to help you fix your stuff but uh how could you prevent go with a provider that we lacked on problems tried to isolate iot devices on their own vlans this is something that I'm saying vulnerabilities will happen it's how they treat the vulnerabilities and how they act on the reporting that makes sense that was me I think sorry for being a cut short but I couldn't really disclose the vulnerabilities but you're feel free to go and look at them I I do believe that you are going to find them it's not really difficult to find but yeah any questions break all of the devices and it is always going to block out of certain countries that would then potentially have a snowfall effect and blackout other countries and yeah but I don't know I I haven't tried it obviously and I'm not legally required to say that it's obvious because we still have power so yeah anyone else I did I'm still waiting and but as I have other government agencies that I did other disclosures I have High Hopes on me help on them helping me is no so I was like I can tell you that one of them responded and they're good but I haven't kept them installed I don't know what they do is like I'm not recommending anyone due to obvious reasons so I could say if someone seems that it will respond to their vulnerabilities go with them so if they seem that they don't respond I wouldn't go with them but that's a vulnerability in the cloud so it should be back ported and easily patched but if you are missing on your Cloud the whole concept of authentication you have to rework a lot of things in Who develops what in there so you could access you could update the firmware one of them had literal terminal SSH so you could install and map in there and scan the network that the inverter was uh installed to that's why I said use vlans or I don't know I'm not a network engineer so I'm not going to anyone else thank you [Applause]