-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-012 Product: mySolarEdge Android app Manufacturer: SolarEdge Technologies Affected Version(s): 2.20.0.2200004, 2.19.1.2190102 Tested Version(s): 2.20.0.2200004, 2.19.1.2190102 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-03-01 Solution Date: 2024-03-05 Public Disclosure: 2024-03-21 CVE Reference: CVE-2024-28756 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The mySolarEdge Android app is a mobile app to monitor and manage a photovoltaic system with an inverter from SolarEdge. The manufacturer describes the product as follows (see [1]): "Know more and do more with your everyday energy through the mySolarEdge app for homeowners. Manage and control your solar, battery storage, EV charging and more, all from the palm of your hand - anytime, from anywhere." Due to missing certificate validation, mySolarEdge is vulnerable to machine-in-the-middle attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Android app uses HTTPS to connect to the cloud endpoints. When establishing a connection, the presented X.509 server certificate is not verified. The app also establishes the connection if a self-signed certificate is presented. An attacker in a machine-in-the-middle position can therefore read and alter all data transferred from and to the SolarEdge cloud. This includes the position of the photovoltaic system and the energy consumption of the household. The affected endpoints are the following: - - https://api.solaredge.com - - https://ha.monitoring.solaredge.com - - https://monitoring-mfecdn.solaredge.com - - https://monitoring.solaredge.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Forward all traffic of the Android smartphone with the app installed to listening port 8082 of a proxy, e.g. use certmitm (see [4]). $ python3 certmitm.py --listen 8082 CRITICAL - 192.168.104.122: 66.22.36.207:443:monitoring.solaredge.com for test self_signed = data intercepted! CRITICAL - 192.168.104.122: 66.22.36.212:443:api.solaredge.com for test self_signed = data intercepted! CRITICAL - 192.168.104.122: 66.22.36.149:443:ha.monitoring.solaredge.com for test self_signed = data intercepted! CRITICAL - 192.168.104.122: 18.173.205.102:443:monitoring-mfecdn.solaredge.com for test self_signed = data intercepted! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install version 2.20.1.2200102 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-10-20: Vulnerability discovered 2024-03-01: Vulnerability reported to manufacturer 2024-03-05: Patch released by manufacturer 2024-03-21: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for mySolarEdge https://www.solaredge.com/us/products/software-tools/mysolaredge [2] SySS Security Advisory SYSS-2024-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-012.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] certmitm https://github.com/aapooksman/certmitm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmX5TLUACgkQq/DPL00C IPnSDQ/+KnkhcvD1IsCM3HudpMSCAWXPffufGW2Dwdj/NboX9X8T6lI71Jxssola iUfjOCpzGlz6XxOTD6XKCZO2PzssT5hPFqBeIPNS7eASSxyGsyUnC0ftYuPMFQsD syhAZvsaLbsBDVrUjuuf+mik6TEfAnuH0cgtmpc0YH+qBXQ87vVyKj6ovA2tBPFY hPXdhg2i839C+S6nKBVZEikmAvjHVv14+IRs0R+clR0LXFtvo0cUOFfVVE/4xEXj fKhf+CsQItRhMxz0b1VSmooH7ylFcuOL4mGtVg1Y7QOB/xR4uxnDpG+Qwq3q3Jvf aoCwYqTM4e+JUFOBGOoPHUJWS4jLdi8NCVNIZRUIwewRmD665o1TOXHC7V10V0WU TVf2TN3NaF0I9ulj1TyBg08mzthfC9ZsO117KH50ALqJilGG3jSkCeUBlXcZljj8 9mY8SEqbCoUFDVtUyPNSFYShaE7SuhFgzeU4JZH/FXF2XRXv+5u9oHTXglApBIja zTwV+WNIhkUv0b+twsdodaHQsmWUfWWqylsCXsrBU9rzcab78rfkL/mhHpckoWp5 uEHAtVYFSCYWum+rJVqcZieUMw+JpIckj/BXcGrjOF6dt3jkqmnC2o7leZKFO+KM Y4zpUTbEaQPNuUaS+iLd41DBYuAyceeL0B2mYJAax6TDG+YszM8= =diJO -----END PGP SIGNATURE-----