Image: Charlesdeluvio, Unsplash
The Dutch Institute of Vulnerability Disclosure (DIVD) has reported that two Dutch hackers have discovered six new vulnerabilities in Enphase IQ Gateway devices, formerly known as Enphase Envoy.
US-based microinverter manufacturer Enphase produces electronic devices that enable communication between microinverters of rooftop PV systems and its cloud-based monitoring software.
More than 4 million devices in 150 countries were thus exposed to the potential for malicious takeover. The combination of three of the six vulnerabilities could have allowed potential attackers to take full control of the Enphase IQ gateway and PV systems.
Wietse Boonstra and Hidde Smit of DIVD reported vulnerabilities to Enphase on April 17, 2024. Enphase responded the next day and began working with the researchers. The vulnerabilities are being addressed and are expected to be resolved in the next product release.
DIVD said it continues to work with Enphase to identify the remaining vulnerable and exposed Envoy IQ gateways around the world to facilitate the patching process. However, it says that a device is only vulnerable if the Enphase equipment is exposed “to an untrusted network, such as the public Internet or a home network.”
Enphase has not yet responded pv magazine‘s request for more details on the matter.
DIVD expressed concerns about a “worrying increase in vulnerabilities” amid the rapid energy transition. As smart grids and Internet of Things devices are integrated, the sector is at greater risk, likely because innovation is outpacing security measures.
“Given the importance of the sector, prioritizing cybersecurity is essential to protect us against these growing threats,” said DIVD.
On August 12, the Netherlands Enterprise Agency released a report on vulnerabilities in Dutch solar energy systems. The study outlines three potential cyber attack scenarios on solar energy installations, involving actors ranging from hackers to malicious companies. It also evaluates mitigation strategies to prevent or reduce the impact of such attacks.
The three scenarios are summarized as follows:
- A ransomware gang could abuse cloud portals to take over accounts of major installers and extort solar farm operators.
- Criminals can access and damage inverters via an online software update, especially if tens of thousands of inverters with default passwords are hacked by a botnet.
- A state entity could target supply chains and use cyber weapons to attack vital infrastructure by seizing equipment amid rising geopolitical tensions.
“At DIVD we sincerely hope that preventive measures are taken to address vulnerabilities and weaknesses before a disaster occurs. We have already discovered and reported numerous vulnerabilities in charging stations and their backends,” says researcher Harm van den Brink. “And according to a study into the impact of a hack of the charging infrastructure by Berenschot, a power outage would cost us at least several billion euros per day in the Netherlands.”
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.
Popular content
