Two "ethical" hackers from the Dutch Institute of Vulnerability Disclosure (DIVD) have identified six vulnerabilities in Enphase IQ Gateway devices. The researchers are now working with the US inverter manufacturer to address the bugs in the next version of the product.
The Dutch Institute of Vulnerability Disclosure (DIVD) has reported that two Dutch hackers have discovered six new vulnerabilities in Enphase IQ Gateway devices, formerly known as Enphase Envoy.
US-based microinverter maker Enphase produces electronic devices that enable communication between rooftop PV system microinverters and its cloud-based monitoring software.
More than 4 million devices in 150 countries were thus exposed to the potential for malicious takeover. The combination of three of the six vulnerabilities could have allowed potential attackers to take full control of Enphase IQ gateway and PV systems.
Wietse Boonstra and Hidde Smit of DIVD reported vulnerabilities to Enphase on April 17, 2024. Enphase responded the next day and began collaborating with the researchers. The vulnerabilities are being addressed and are expected to be resolved in the next product version.
DIVD said it continues to work with Enphase to identify the remaining vulnerable and exposed Envoy IQ gateways throughout the world, in order to facilitate the patching process. However, it said that a device is only vulnerable if the Enphase equipment is exposed “to an untrusted network, such as the public Internet or a home network.”
Enphase has not yet responded to pv magazine‘s request for more details on the issue.
DIVD raised concerns about a “worrying increase in vulnerabilities” amid the rapid energy transition. As smart grids and Internet of Things devices are integrated, the sector faces greater risk, likely due to innovation outpacing security measures.
“Given the importance of the sector, prioritizing cybersecurity is essential to guard against these growing threats,” DIVD said.
On Aug. 12, the Netherlands Enterprise Agency (Rijksdienst voor Ondernemend Nederland) released a report on vulnerabilities in Dutch solar energy systems. The study outlines three potential cyberattack scenarios on solar installations, involving actors ranging from hackers to malicious companies. It also evaluates mitigation strategies to prevent or reduce the impact of such attacks.
The three scenarios are summarized as follows:
- A ransomware gang could exploit cloud portals to take over accounts of large installers and extort solar park operators.
- Criminals might access and damage inverters through an online software update, especially if tens of thousands of inverters with default passwords are compromised by a botnet.
- A state-run entity could target supply chains, using cyber-weapons to attack vital infrastructure by seizing equipment amid rising geopolitical tensions.
“At DIVD, we sincerely hope that preventive measures will be taken to address vulnerabilities and weaknesses before a disaster occurs. We have already discovered and reported numerous vulnerabilities in charging stations and their backends,” said researcher Harm van den Brink. “And according to a study on the impact of a hack of the charging infrastructure by Berenschot, a power outage would cost us at least several billion euros per day in the Netherlands.”