July 28, 2014

What Is So Dangerous in Smart Grids?



Electricity is rising in price, and the world economy is looking for new ways to improve energy efficiency. In addition to solar and wind stations, everyone around the world is actively building Smart Grids allowing effective energy use. Because they are usually connected to the Internet, there is natural interest in their security level.

Smart Grid technology has only just begun to win over proponents from all over the world. Today, in their simplest form Smart Grids are used in residential climate control systems. Such devices allow end users to monitor and manage the use of the wind and solar energy, and to make use of alternative energy sources in their absence. Are Smart Grids unsafe for advanced housekeepers? To answer this question, we need to know what control components such grids consist of.

China invested $4.3 billion in Smart Grids in 2013, and worldwide the investment made up $14.9 billion. Pike Research predicts more than $46 billion to be spent on this technology by 2015. This forecast has found support among economists as well as ecologists. Greenpeace, by the way, believes Smart Grids to save our planet. 
Fingerprint utilities request a remote host for its family identity. The answer helps to determine an operating system or device modification.
After a small fingerprint research study, we traced the built-in systems served as a basis for Smart Grids of at least nine vendors on the Internet.

Statistics for Smart Grid microcontrollers

While the WindCube family was the most popular, our choice to experiment with another vendor's devices proved to be a smart decision. The vendor provides a controller with numerous advanced features online: PowerPC processor, RTOS, built-in web server, support of FTP, Telnet, SSH, TCP/IP, HTTP, PPP. 

In Search Of the Smartest 

Browsing the Internet for Smart Grid systems based on the controllers selected was relatively easy. Many thanks to the vendor's official website that specified the operating system of the device and guided us on how to study its configuration following the address http://...../ZZZ. We then used inurl to search for information in site subdirectories and Googled the name of OS and ZZZ. Finally, we found several pages with the IP addresses, subnet masks, and serial numbers of certain devices. Within what systems do these microcomputers work? 

Dorks are key words, URL or their parts that allow using search engines or web scanners to look for a path to a control panel or a page with errors.

One of the pages we obtained uncovered that the platform under research also runs as part of the systems that monitor photovoltaic generators called Solar Sail (we have changed vendor's name). Such generators turned out to be very popular. According to the developer, globally there are more than 200,000 solar power stations and almost 1,000,000 inverters connected to this company's web server. 


Solar panels connected to the web server of Solar Sail

Examining Solar Sail Firmware

With firmware for Solar Sail systems downloaded, we checked its file structure, looked for Google dorks and configuration scripts that provided system control. Such commands as strings and grep helped to detect the header Solar Sail Client, which spurred us to Google the URL inurl: Solar Sail-Client. As a result, we found numerous systems of individual users and pages with power consumption data for Solar Sail's various Smart Grid systems. However, this type of information would only be interesting to system supervisors.


Power generation data by Solar Sail's Smart Grid systems

You Can Go Without Passwords

Having studied Solar Sail's control panels, we found out that approximately 5% of the systems did not require passwords for access to the configuration page. The other 95% did require passwords, but they were of no use. With a query to a configuration script created, we could make the control panel return the configuration backup copy, upload it to our PC, and retrieve the password. 


Solar Sail control panel

However, we did encounter some problems when trying to decrypt the password, which is always indexed as 222. HEX often resulted in strange things, so we took a different approach: we set an arbitrary password (1234567890) on a non-password protected device, saved it, then downloaded its configuration file, and checked its encryption.. 


Configuration file backup copy

This is also the way to acquire all necessary passwords and their encrypted variants.

Let’s Look Further

You've already noticed it wasn't hard to access the configuration page of Solar Sail. The device firmware is available from this page. By the way, Solar Sail's official documentation says firmware updates are password protected. However, only one of the systems required a password, which was easy to guess ("Solar Sail"), and coincided with the login and was unavailable for ordinary users. 

What's Tomorrow?

In fact, users of smart houses and mini offices connected to alternative energy sources are beta testers of Smart Grid systems. Developers hardly have any mercy on thrifty owners making gross errors in protection mechanisms. In our case, anyone could pick up a user out of hundreds of thousands of owners of Solar Sail Smart Grids on the Internet, bypass authorization (sometimes it was not even required), install compromised firmware remotely, obtain access to system parameter control and penetrate other system segments. Controlling mechanical systems (disabling inverters, fire, and other unpleasant events) was also possible.

If we continue to move too hastily in making electrical systems more intelligent, the security risks may rise to the level of SCADA systems, and the stories about attackers using computers to disable electricity across an entire city may all be too real in the near future.

Author: Artem Chaikin, Lead Specialist of Web Applications Security Analysis Team

7 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete