Snooping where the sun doesn’t shine

I recently purchased a SolarEdge inverter for home use. The advantage of this type of inverter is that it can be upgraded to work with a Tesla PowerWall:

If you’re not familiar with SolarEdge they are one of, if not the, biggest solar inverter manufacturers in the world, with a revenue of $325M in 2015.They have sold around 400,000 inverter units, and have around 20,000 users registered on their portal.

The portal

The inverter unit has a corresponding on-line monitoring platform which I’ve found really useful. It shows you things like energy generated and revenue estimates:

The problem

Obviously because I’m a security researcher I dived in to looking at how this web app was built. It turns out the site ID (fid) was passed as a URL parameter when requesting a CSV file. So, with permission from another user, it was trivial to access their data.

With a change to the site ID, it was possible to download their current and historic power output along with temperature and humidity information.

I imagine it would be possible to brute-force the site ID to download the data for all users registered on the monitoring portal, although I didn’t go that far.

For reference here’s that URL parameter outlined in red:

This is what could be modified to that of another user so that their data that is returned in the response.

The outcome

I brought these issues to the attention of SolarEdge on 24 March 2016, and by 14 April 2016 they had fixed it.

Compared with so many other IoT device manufacturers this is an impressive turnaround time. They clearly take the security of customer information seriously, and it was a pleasure to help them.

…they also sent me some goodies as a Thank You!

Finally, I want to thank Peter Randall of solarkingdom.co.uk for his assistance.