DHS warns of vulnerabilities in a computerized control system for solar arrays that generate electricity in homes and businesses.
The advisory is based on a report published last month that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering. According to researchers Roberto Paleari and Ivan Speziale, the vulnerable management server is incorporated into a photovoltaic products from several manufacturers.
Justin W. Clarke, an expert in the security of industrial control systems, told Ars the vulnerable devices are used to manage small to mid-sized photovoltaic installations used in homes and businesses. In addition to providing monitoring capabilities, the devices can also allow users to control the solar equipment.
"If there's solar on a site that has a large-scale control system this is going to be sitting pretty close," said Clarke, who is a researcher with Cylance, a firm specializing in security of industrial systems. "So if this were at a factory and there were bigger control systems, I would not be surprised to see this in a position where you could exploit this device and then gain access to a protected control network."