Almost everything is being hooked up to the internet currently to provide useful and cool functionality but is that a good idea? Based on how poorly vendors support their Internet of Things things, definitely not. You could be putting yourself at serious risk.
Network engineer and software developer Josh Bailey installed an AlphaESS Storion S5 grid-connected solar power system at his house. The Storion S5 is common in Australia and sold in New Zealand and globally as well.
Long story short, being curious, Bailey checked what the solar power system sends to the AlphaESS cloud and how. To his dismay he found the data was transmitted to the AlphaESS cloud unencrypted via the hostile internet.
The unencrypted data included system passwords (including AlphaESS's own credentials for the cloud service), physical location and telemetry data, and Bailey's phone number.
By connecting the system to the internet Bailey found himself with a solar powered hackable house that's hooked up to the mains grid.
Not securing the data could allow attackers to cause the AlphaESS cloud app to malfunction by feeding it bogus information Bailey says. This could affect many users in other countries as well.
Finding the vulnerability is dead simple and requires no special technical skills. There are websites that let users run internet-wide scans to discover amongst other things solar power systems from many different makers that expose customer data and their control interfaces to every person and their dog.
Bailey did the right thing and contacted the retailer he purchased the system from who were very helpful but couldn't do anything, and AlphaESS which ignored his report and closed the support ticket.
He then discovered that it's possible to remotely run code on the system (a type of flaw that's behind many ransomware and bot attacks). The AlphaESS website appears to be designed with poor security as well, allowing users to see other customers' data stored there.
Juha Saarinen: Don't keep quiet about ransomware attacks
Leaving the vulnerabilities open to exploitation was clearly not a satisfactory state of affairs. How do insurance companies feel about customers connecting vulnerable power systems to their houses for example? What would happen to a literally vulnerable, unwell customer whose power system is hacked and shut down?
There is actually an official channel now to report issues such as these: the government-run Cyber Emergency Response Team. It was set up late in the game in 2017 and is "responding to cyber security threats in New Zealand".
On November 9, Bailey reported the issue to CERT NZ as individuals and businesses are encouraged to do, but did not get a response.
Late January, Bailey contacted me about the vulnerability and provided technical details of it. I asked CERT NZ why they hadn't responded, and what the cyber security agency had done about what appears to be a reasonably serious flaw.
After initially being promised a chat with the operations manager at CERT NZ the door slammed shut.
"CERT NZ does not disclose information about reports made by individuals or organisations to maintain the privacy of those who report, the security of the systems they report about and the integrity of the intent of the service.
We would encourage you to speak to the person or organisation who made the report if you are seeking information about a particular report," CERT NZ's director Rob Pope told me.
After my enquiry, Bailey received an apology from CERT NZ for the lack of response (something to do with email problems at the agency).
CERT NZ had also tried to contact AlphaESS to no avail, and been in touch with its Chinese colleagues which is good, but so far there's been no advisory for New Zealand solar power system customers.
The cyber security agency has a social media stream on Twitter with animated GIFs in almost every tweet. In the tweets, CERT NZ provides the sort of general common sense advice you see everywhere else.
CERT NZ drops very little information on Twitter as to the current threats we should look out for though which seems odd.
Going back to insecure grid-connected solar power systems, even though it can't fix them, CERT NZ could perhaps create some awareness around the issue?
Social media is probably a good place for that and CERT NZ has over 3,500 followers on Twitter which would amplify the message.
Some advice from CERT NZ that local users of solar power systems might find useful would be to only pick vendors that support their products for at least over the next five to ten years or longer.
Taking stock of the situation, and I'm sure CERT NZ has seen plenty of alerts and advice on this from overseas colleagues and security vendors, a general recommendation that solar power customers don't connect systems that they cannot ascertain are secure to the internet might not go amiss.
We can do better here, and not accept an Internet of Horrendously Insecure Things.
Pope said that during the last quarter of 2019, CERT NZ received a total of five vulnerability reports which seems very few. I write about gaping security holes and privacy breaches at least once a week so perhaps people aren't aware that they can report vulnerabilities to CERT NZ?
If more people provide accurate, detailed and replicable security reports, it might encourage CERT NZ to become more active and animated with its mission, which is to prevent the things this column is talking about.
Meanwhile, if you have a solar power system of any brand, check with the vendor and/or distributor about the security of it. If you don't get unequivocal assurance that it is secure and actively updated, disconnect it from the internet.