Ryan Castellucci's Solar Install Gives Rise to a Surprise Project: "Hacking a Virtual Power Plant"

Computer security researcher Ryan Castellucci got a surprise while investigating a newly-installed battery-backed solar energy system — when experiments in automation resulted in "hacking a virtual power plant."

"I recently had solar panels and a battery storage system from GivEnergy installed at my house. A major selling point for me was that they have a local network API [Application Programming Interface] which can be used to monitor and control everything without relying on their cloud services," Castellucci explains. "My plan is to set up Home Assistant and integrate it with that, but in the meantime, I decided to let it talk to the cloud. I set up some scheduled charging, then started experimenting with the API. The next evening, I had control over a virtual power plant comprised of tens of thousands of grid connected batteries."

Most home-scale solar harvesting systems come with support for monitoring and control over the internet, typically relying on connectivity to the vendor's cloud service. Some, though not all of these, also support local control — and a sadly small percentage let you get at the local control, for connection to systems like Home Assistant, without having to heck your way to it. Castellucci's system is one of these, providing an API for local use — which uses generated JSON web tokens (JWTs) for authentication.

"[The key is] signed with an RSA+SHA-256 [algorithm]," Castellucci explains. "In the past, some JWT implementations allowed verification to be bypassed by changing the algorithm to 'none,' so I tried that. It didn’t work, which was a relief. That signature though… 64 bytes? At eight bits per byte that’s 512 bits. But that would mean an easily crackable 512 bit RSA key. I hoped this wasn't as bad as it seemed. Perhaps each account had a different key?"

Sadly, the key proved as crackable as Castellucci feared — with recovery achieved in just a few hours with $70 in cloud compute resources. Keys signed using the recovered key worked fine for Castellucci's own account — and, sadly, for everyone else's account. "The account IDs seemed to be sequential, so I could just change that and access any of them," the researcher explains. "I had another look at the API documentation and saw there were some methods limited to 'engineer+'. Plus? I tried setting the account ID to '1', figuring it’d probably be an admin account. Indeed it was, and seemingly subject to no permissions checks, as I could access data for my own system from it. All your battery are belong to us."

Castellucci reported the flaw, which gave anyone who performed the same steps full admin-level access to every battery system connected to GivEnergy's cloud, to the vendor — which took the issue seriously, fixed the hole, and moved to a more secure 4,096-bit RSA key. "Our agility – with our fully insourced product development – enabled us to investigate, understand, and fix the newly identified security flaw in production within six hours of it being reported," the company boasts. "Not months, not weeks, not days. Hours."

The full write-up is available on Castellucci's blog; GivEnergy's response is on the company website.