Electricity is expensive, and the global economy hard looking for ways to improve their energy efficiency. In addition to solar and wind power plants in the world is an active construction of "smart" electricity distribution networks, so-called Smart Grid, which allow to use energy rationally. They are usually automated and connected to the Internet, causing a natural interest in their level of security.
Warning! All described in Article vulnerability transferred to manufacturers and they are eliminated, but can occur in operating systems
What are they made h4> Technology Smart Grid just getting ready to conquer the world. Now they are used mainly in household automatic climate control system, which introduced the simplest elements of "smart" grids. Such devices allow the end user to monitor and effectively use wind and solar energy, and in their absence to move to other sources. Dangerous if Smart Grid for progressive homeowners? To answer this question, we need to learn from some of the control components comprise such networks.
After a short fingerprint-study we found on the Internet traces embedded at least nine different manufacturers, which are constructed on the basis of Smart-Grid-system.
Statistics on Smart-Grid-microcontrollers i>
The most common family turned WindCube, but as a testing ground for experiments were selected more "intelligent" Soup another manufacturer in the online catalog which has a controller with a lot of promising features: Processor PowerPC, real time operating system RTOS, embedded web server, support FTP , Telnet, SSH, TCP / IP, HTTP, PPP.
We are looking for the smartest
Search the Internet Smart-Grid systems based on selected controllers did not cause much difficulty. Once again thank you to the official website of the manufacturer, which contains the name of the operating system and posted instructions according to which the device configuration settings from the family its owner can be found at ..... / ZZZ . After that we went on Google, where to get the modifier inurl, allows you to search information in the subdirectories of the site, and have introduced a combination of the names of the OS and ZZZ. In the end, we got a few pages with IP-address, subnet mask and the serial number of the device. But as part of any of these systems operate microcomputers?
As it turned out one of the found pages, platform researched labor, in particular, as part of monitoring systems photovoltaic installations Solar Sail (manufacturer name changed), which were extremely common. According to information from the developer, in the world there are more than 200,000 solar power plants and nearly 1 million inverters connected to the web server of the company.
Solar panels connected to the web server Solar Sail i>
Parse firmware Solar Sail h4>
Firmware Solar Sail «sectional» i>
After downloading the firmware for systems Solar Sail, we have seen how it looks like the file structure, search for "Dorca» (Google dorks) and configuration scripts that allow you to control the system. With strings and grep commands in the firmware header has been detected Solar Sail Client, which prompted the idea zaguglit URL-address inurl: Solar Sail-Client. In the end, we found a set of systems of private users and pages with data on energy consumption of different Smart-Grid-systems from Solar Sail. But this information may be of interest except to the supervisory authorities, but not to the attacker.
The data on electricity generation of different Smart-Grid-systems from Solar Sail i>
You can and no password h4> More interesting things were found in the admin panel. When studying adminok Solar Sail transpired interesting fact about 5% of systems do not require a password to login to the configuration page. The remaining 95% of the system password has been set, but the sense of it was not enough. Forming a simple query to a single configuration script, you can make the admin panel Solar Sail calmly give the backup configuration, download it to their local computer and remove the password.
Admin panel Solar Sail i>
With password decryption, which is in the index of 222, had some difficulties. HEX editor gave some rubbish, so we went the opposite way: looked at the unit, which was without a password, enter an arbitrary password (1234567890), save it, then downloaded the configuration file and seeing what it looks like in an encrypted form.
The backup configuration file i>
Similarly, you can make a list of all the necessary compliance of their passwords encrypted version.
Go ahead h4> To get to the configuration page, Solar Sail, as we can see, it turned out quite easy. From this page you can load the firmware of the device where to look in her curious artifacts. Incidentally, in the official documentation Solar Sail stated that the firmware update is password protected. However, we are faced with the need to enter the password only on one system, and it was very simple («Solar Sail»), coincided with the login and was unavailable for changing the normal user.
What's tomorrow? H4> Members 'smart homes' and mini offices connected to alternative energy sources, appear, in fact, beta testers systems Smart Grid. And developers are not spared too thrifty owners, allowing serious errors in the protection mechanism. In our case, anyone could choose one of the hundreds of thousands of owners of units Smart Grid Solar Sail from the Internet to bypass authentication (sometimes it is not required) to remotely install the defective firmware seize access to control parameters of the system, get into the other network segments. Possible physical effects, up to incapacitate inverters, fire and other unpleasant events.
If the power supply network of critical sites will intellectualize with the same speed as the level of risk may not be lower than in the case of the SCADA-systems, and the plot, where the attacker using the computer is disconnected from the power supply the whole city - would be realistic.
Author: Artem Chaykin