Today, APIs power more of the modern internet than ever. Because they are so crucial, API vulnerabilities can have devastating consequences in all sectors- including sustainable energy.
Like much of the modern cyber world, all Internets of Things (IoTs) are powered by APIs. This extends to technologies used in both residential and commercial solar power systems, including one of the most widely used platforms: Solarman.
Bitdefender discovered the vulnerabilities in the inverters used by these solar companies to connect direct current energy to alternating current energy, which is used by the power grids.
“In grid-tied solar power systems, the inverter synchronizes the phase and frequency of the AC output with the grid… power distributors and governments see any deliberate attempts to bypass these grid safety measures as a threat to national security.”
The vulnerabilities found were BFLA, or Broken Function Level Authorization vulnerabilities, which can lead to abuse and fraud, and broken authentication. In this case, the abuse could impact both individual users and on a larger scale, entire power grids.
According to Dark Reading, the weaknesses "gave attackers an avenue to take over millions of photovoltaic devices connected to Solarman and Deye's cloud-hosted management systems."
"The issue we discovered lies in the cloud APIs that connect the hardware with the user… These APIs have vulnerable endpoints that allow an unauthorized third party to change settings or otherwise control the inverters and data loggers via the vulnerable Solarman and Deye platforms.”
In a previous blog post, we talked about how API security affects many critical public utilities and systems, such as water heating. Many users are unaware of the APIs that are used to power these systems, and without proper awareness and visibility, the APIs are often left unsecured and open to outside influence.
Critical systems such as Operational Technology (OT) and Industrial Control Systems (ICS) are now also using APIs.
In this instance, beyond simply affecting the users of Solarman, the Deye Cloud (or Ningbo Deye) was using the same API software and inverter technologies as part of its service. Therefore, the issue is a part of the supply chain, and may affect other providers as well.
These APIs can also affect systems that compromise personal security- such as connected cars and other services that gather users’ personal information including location.
In the case of Solarman and Deye Cloud, researchers determined that the vulnerabilities, if exploited, “would potentially have allowed an attacker to take down parts of any connected power grid.”
APIs are critical, not only for home systems such as hot water generators, but also for public utilities for and solar panels. They send messages between applications, connect systems, and much more. However, the public at large is still unaware of the importance of APIs. And organizations are still playing catch-up with APIs that they create, and APIs that are part of their digital supply chain. Without proper visibility or monitoring, these APIs are much more likely to be exploited by bad actors.
API security is essential in the modern Internet of connected devices and systems. Secure your APIs with FireTail today. To learn how, try out our free tier or get a free, 30 minute demo here. Also, be sure to check out our connected car ebook for more on supply chain API vulnerabilities.