[ISN] Solar panel control systems vulnerable to hacks, feds warn

From: InfoSec News <alerts_at_private>
Date: Tue, 16 Oct 2012 00:47:06 -0500 (CDT)
http://arstechnica.com/security/2012/10/solar-panel-control-systems-vulnerable-to-hacks/

By Dan Goodin
Ars Technica
Oct 15 2012

The US Department of Homeland Security is warning of critical 
vulnerabilities in a computerized control system that attackers could 
exploit to sabotage or steal sensitive data from operators of the solar 
arrays that generate electricity in homes and businesses.

A slew of vulnerabilities in a variety of products, including the 
Sinapsi eSolar Light Photovoltaic System Monitor (Microsoft translation 
here) and the Schneider Electric Ezylog Photovoltaic Management Server, 
allow unauthorized people to remotely log into the systems and execute 
commands, warned the DHS-affiliated Industrial Controls Systems Cyber 
Emergency Response Team in a recent alert. Other vulnerable devices 
include the Gavazzi Eos-Box and the Astrid Green Power Guardian. 
Proof-of-concept code available online makes it easy to exploit some of 
the bugs.

The advisory is based on a report published last month that disclosed 
SQL injection vulnerabilities, passwords stored in plain text, 
hard-coded passwords, and other defects that left the devices open to 
tampering. According to researchers Roberto Paleari and Ivan Speziale, 
the vulnerable management server is incorporated into a photovoltaic 
products from several manufacturers. Paleari told Ars the flaws were 
uncovered after Speziale purchased a Schneider Electric Ezylog device 
for his home that used firmware version number 2.0.2736_schel_2.2.6b.

"All the firmware versions we analyzed have been found to be affected by 
these issues," the researchers wrote. "The software running on the 
affected devices is vulnerable to multiple security issues that allow 
unauthenticated remote attackers to gain administrative access and 
execute arbitrary commands."

[...]


--
CISSP and CEH Live OnLine training with ExpandingSecurity.com is the fastest,
easiest way to master the relevant data you need now.  Sign up for the free
weekly PainPill and try a free class.  It is easy.
http://www.expandingsecurity.com/PainPill
Received on Mon Oct 15 2012 - 22:47:06 PDT

This archive was generated by hypermail 2.2.0 : Mon Oct 15 2012 - 22:41:03 PDT