DIVD responsibly discloses six new zero-day vulnerabilities to vendor

The Hague, Netherlands – Aug 12, 2024 by Serena de Pater and Marieke Smits

About the case

DIVD researchers have discovered and, in collaboration with the vendor, disclosed six new zero-day vulnerabilities in Enphase IQ Gateway devices. This investigation was conducted by Wietse Boonstra and Hidde Smit, both researchers at DIVD, under case DIVD-2024-00011

Additionally, DIVD has independently assigned CVE IDs (Common Vulnerabilities and Exposure IDs). This highlights DIVD’s role as a CVE Numbering Authority (CNA), which distinguishes it from other similar organisations.

The six vulnerabilities were reported to Enphase by the DIVD team, and Enphase has addressed them in their next release, which they are currently rolling out to their customers. DIVD is working with Enphase to identify vulnerable and exposed Envoy IQ Gateways globally to assist with the patching process. 

Impact 

Combining the first three of the six vulnerabilities enables unauthenticated attackers to take full control of the Enphase IQ Gateway and the connected devices. A device is only vulnerable if your Enphase equipment is exposed to an untrusted network, such as the public internet or a home guest network. The manufacturer, Enphase, states that it has about four million systems deployed in more than 150 countries.

The energy sector is crucial to our daily lives, yet we’re seeing a concerning rise in vulnerabilities, especially with the rapid energy transition. As new technologies like smart grids and IoT devices are integrated, the sector’s exposure to risks increases. This surge in vulnerabilities likely stems from the fast-paced innovation that often outstrips security measures. Given the sector’s importance, it’s vital to prioritize cybersecurity to safeguard against these growing threats.

In 2022, DIVD researcher Jelle Ursem found a GitHub repository that contained SolarMan’s Super Admin account login details. These were visible to anyone who visited the page and could have allowed cybercriminals to manage around 1 million solar panel inverters globally, which thankfully did not happen due to responsible disclosure. 

“At DIVD, we sincerely hope that preventive actions are taken to address vulnerabilities and weaknesses before any disaster occurs. We already found multiple vulnerabilities at charge points and their backends, which we reported. And according to a research on the impact of a hack on the charging infrastructure by Berenschot a blackout would cost us at least multiple billions of euros each day in the Netherlands”.  - Harm van den Brink (Researcher Energy) 

On Monday, August 12, 2024, the Dutch Enterprise Agency (Rijksdienst voor Ondernemend Nederland) published a report about an investigation into vulnerabilities in Dutch Solar Power systems, performed by Secura on behalf of the Netherlands Enterprise Agency, at the request of and in collaboration with the Top Sector Energy.

Lastly, on Wednesday, August 7th, another report was published by Bitdefender listing vulnerabilities in solar farms in the U.S.

Hypponen’s law also seems to apply to the energy transition: If it is “smart” it is vulnerable. So far, every solar power or charging station system that was investigated by DIVD contains some kind of serious vulnerability. DIVD is actively seeking publicity with these cases because in addition to a technical problem, a public concern is now emerging.“ - Frank Breedijk (CSIRT Manager).

If you would like to contribute to DIVD’s mission, your donations are more than welcome. You can also sign up as a volunteer and offer your time and skills here.

Make sure to follow us on LinkedIn and X (formerly known as Twitter) and take notice of every important update.