US Cyber Security Agency Issues Enphase Warnings
SolarQuotes readers may not be familiar with America’s Cyber and Infrastructure Security Agency (CISA), so let me introduce you: CISA is the operational lead for American cybersecurity, collaborating with other organisations like the National Security Agency, the FBI, and international cyber security agencies.
One of its roles is to publish advisories alerting industry and users to security issues in critical infrastructure systems, and this week, CISA published two warnings relevant to Enphase products: the Envoy communication gateway, and the Installer Tookit Android app.
As Enphase puts it,
“the Enphase Envoy is a communications gateway that collects information about how your system is performing and transmits that information over the Internet to MyEnlighten.”
The problem for customers and the industry is that one version of the Envoy, D7.0.88, has a security bug that could let an attacker take over control of the gateway. As CISA puts it:
“Successful exploitation of this vulnerability could allow an attacker to gain root access to the affected product.”
“Root access” are the key words here: it means someone can, over the Internet, execute Envoy commands as if they had full access to the product.
So far, CISA said, Enphase hasn’t responded to requests that it work with the agency.
Until the company patches the software, CISA recommends systems be blocked from using the Internet – which means it can’t send data to the MyEnlighten system.
Installer Toolkit
The Installer Toolkit is an Android app that gathers site and system data when installers are configuring a new customer. Enphase describes it as a prerequisite for Ensemble installations.
CISA’s advisory said a security researcher identified only by the pseudonym “OBSWCY3F” found that versions prior to 3.27.0 have “hardcoded credentials” – in other words, the app comes with a user account where user name and password are written into the software.
The risk, CISA said, is information disclosure – that information stored in the app could be available to a successful attacker.
As well as not exposing the app to the Internet – which is a tough call! – CISA says users should get in touch with Enphase for support.
Infosec is Important
It’s more than two years since we first remarked that the solar industry needs to take cyber security seriously.
In Australia, security regulation is looming.
To date, laws like the Security of Critical Infrastructure Act haven’t been applied to home solar PV installations, but there is at the very least, the possibility of SoCI regulation in the future.
Meanwhile, the government is consulting about cyber security regulation, a consultation that could bring new commonwealth cyber security legislation.
Which makes this a good time for the industry to work out how to deal with cyber security in products and services.
