Solar panels expose dwelling WiFi networks to password theft, distant assaults

0
24
Solar panels expose home WiFi networks to password theft, remote attacks

Charlie Osborne March 06, 2020 at 11:48 UTC

Updated: May 11, 2020 at 7:33 AM UTC

Omnik solar inverters have serious security gaps and are therefore vulnerable to DNS rebinding attacks

A security researcher has shown how DNS rebinding attacks can be used to compromise private WiFi networks through connected solar panel devices.

On March 1st, Torben Capiau described in a blog post how a DEF CON talk about DNS rebinding in 2019 inspired him to try similar attacks on his home network.

After choosing his Omnik [non-HTTPS link] Capiau, targeting the solar panel inverter’s web interface, found that doing a DNS rebind was all too easy and potentially opened thousands of similar home installations to attack.

What is DNS rebinding?

By rebinding DNS, a browser becomes a channel to attack private networks. For example, after visiting a malicious link or receiving advertisements, attackers could bypass firewalls to compromise a victim’s browser and use it as a proxy to communicate with devices on a private network.

It does this by tricking a victim into visiting an attacker-controlled domain whose IP address was changed after malicious JavaScript was loaded. This results in browsers communicating with the wrong servers and bypassing policies with the same origin.

So what?

Ultimately, this can lead to devices that rely on UPnP (Universal Plug and Play) and pure HTTP communication behind a firewall being compromised remotely.

Researchers expect this form of attack to grow in popularity over time as botnet operators attempt to seize low hanging fruit in the form of IoT devices like thermostats, lights, and appliances.

DNS rebinding made it into PortSwigger Web Security’s top 10 web hacking techniques of 2019, as voted by the Infosec research community.

In Omnik’s case, this technique was possible because standard login information – admin / admin – was available.

To make matters worse, the open WiFi access point used for initial setup was not disabled, leading Capiau to believe that there are likely many installations with the same basic security issue.

Conceptual evidence

To carry out the DNS rebinding attack, Capiau bought a cheap domain and server and changed the DNS records before cloning the Singularity GitHub repo used in the DEF CON demonstration to its server.

After writing and deploying JavaScript exploit code, Capiau tested the attack against its solar inverter.

In tests, it took anywhere from 14 seconds to 1 minute and 20 seconds to get its WiFi SSD and password credentials in clear text. The attack could also be used to tamper with the inverter’s firmware and upload malicious code.

“The exploit can be automated by either guessing a visitor’s local IP range and using JavaScript to find websites in that range, or by using a local IP leaked by WebRTC and scanning the / 24 range of that IP,” noted Capiau.

Fully charged

The Capiau solar inverter used was one of 12,000 solar modules offered as part of a local program in Belgium.

It is not known how many devices are affected internationally in total.

According to Capiau, the DNS rebinding problem is just one of many security problems in the web interface of the Omnik solar panel.

“The open WiFi network for initial configuration was never disabled and the default credentials were never changed,” says Capiau.

“I can drive to any home that I know has one of these inverters, connect to the open network, navigate to the inverter’s website, log in with standard credentials, and view your WiFi credentials.”

At the time of writing, it is not clear whether the security issues have been fixed or not.

In the meantime, it is recommended that Omnik inverter owners change their passwords and disable disabling the initial WiFi network configuration.

The daily sip contacted Omnik with additional questions and will update as soon as we hear something.

CONTINUE READING From DNS hijacking to domain fronting, SANS security professionals offer a look back at the 2019 threat predictions

LEAVE A REPLY

Please enter your comment!
Please enter your name here