Solar Power Firm Patches Meters Vulnerable to Command Injection Attacks

Locus Energy has patched 100,000 of its residential and commercial power meters that were vulnerable to command injection attacks and code execution.

Solar software and analytics firm Locus Energy has pushed out a patch to its residential and commercial power meters to address a vulnerability that could allow hackers to access equipment and remotely execute code.

According to independent security researcher Daniel Reich, who privately disclosed the flaw to Locus Energy in January, the bug is a command injection vulnerability that allows hackers to hijack vulnerable solar meters.

Locus Energy told Threatpost all known vulnerable LGate series meters have been sent a patch.  It said meters are only vulnerable to attack if they have been placed on a public IP address, such as directly connected to a cable/DSL modem.

“(Meters) are not vulnerable if they have been placed behind a router, unless the attacker has direct access to the LGate or the local network. Additionally, the vulnerability does not allow any compromise of Locus Energy’s servers or platform. Only the specific LGate in question is affected,” wrote Locus Energy in a statement.

On Wednesday, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory regarding the vulnerability. According to CERT, Locus Energy meters use a PHP script to manage the energy meter parameters for voltage monitoring and network configuration. “The PHP code does not properly validate information that is sent in the POST request,” CERT writes.

The affected LGate meters include those built prior to the release of firmware version 1.05H. Impacted are LGate models 50, 100,  101, 120 and 320.

Reich said the vulnerability could have allowed a hacker to easily manipulate metering data to boost solar credits earned. Or, he said, an attacker could hack multiple systems to spoof power levels of solar arrays reporting back to a power grid. Lastly, hackers could enlist hijacked meters into DDoS botnets, he added. He estimated 100,000 Locus Energy meters will need to be patched.

“It is our highest priority to continue to deploy the firmware update to all units with their Ethernet port in use,” Locus Energy said.

Reich said that the vulnerability is tied to hardcoded default passwords used on LGate meters. “Anyone who knows the port number and has watched the Locus Energy tutorial on YouTube on how to use them – which discloses the default password – could have accessed any one of these meters,” he said.

Mitigation by Locus Energy includes only activating external communications when an LGate meter “phones home” to report energy data, according to Reich. Locus Energy is instructing customers to power cycle their LGate meters, wait five minutes and verify the meter firmware has been updated to version 1.05H_EM3 or above.

Suggested articles