A Practical Analysis of Cyber-Physical Attacks Against Solar Photovoltaic Generation in Europe

In 2024, the focus was on nuclear energy with "A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors", and this year it is the turn of solar photovoltaic generation, completing the coverage of the carbon-free energy sources I consider crucial for Europe's energy sovereignty.

I hope it will be useful and interesting, just as the previous one was for some people.

The paper is structured to facilitate a linear reading and understanding by a variety of readers, although a minimal technical background is assumed.

What will you find in this paper? A mix of theory and practice.

An introduction that describes the technical characteristics, from both cyber and physics perspectives, of photovoltaic generation, grid-following inverters, and power grids required to understand the subsequent cyber-physical attack scenarios

“Cyber-physical Attacks on Solar Inverters” characterizes the type of impact a successful exploitation of grid-following inverters can have on the power grid. It is also a comprehensive analysis of those aspects of the Iberian blackout that can realistically be replicated through cyber means.

“Responsible Disclosure and Vulnerabilities” details real-world vulnerabilities discovered as part of this research in some of the largest European inverter manufacturers, such as Siemens, Ingeteam, and Fimer.

The number of impacted inverters is in the tens of thousands, representing tens of GW of generation. .

Download PDF

What Really Happened in Chernobyl During the Beginning of the Russian Invasion?

This blog post contains the web version of my research paper: " Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of Fabrication ", which was unveiled at BlackHat USA 2023 . It is intended to ease the indexing and dissemination of the information collected during this research. In a few days, I'll be in Brussels presenting this research. The original paper (PDF) can be downloaded here . Additional references: https://www.wired.com/story/chernobyl-radiation-spike-mystery/ (Kim Zetter) https://www.zetter-zeroday.com/p/radiation-spikes-at-chernobyl-a-mystery (Kim Zetter) https://medium.com/war-notes/chornobyl-3-92216d21b223 (Olegh Bondarenko) INDEX Foreword Executive summary Introduction 1. Physical 1986 Resuspension Transport Humidity Traffic 2. Cyber ...

De-Anonymization attacks against Proton services

In November 2021 YesWeHack invited me to participate in a private bug bounty program organized by Bug Bounty Switzerland on behalf of Proton AG. The scope of the program was quite interesting and heterogeneous, as it covered most of the applications and services offered by Proton, such as ProtonMail and ProtonVPN. As a result, multiple technologies and codebases were in scope, ranging from typescript, in the open-source part of Protonmail, to .NET/Swift used by ProtonVPN apps for Windows and macOS respectively. Proton is well-known for its privacy-driven services offer, so they are based on Switzerland where the legislation seems to match Proton's requirements to provide that kind of services: thus maximizing the privacy of their communications, minimizing the amount of data they log from their users while keeping a law-abiding status. It wouldn't be realistic to think of Proton users as an homogenous group; you may be using Proton because you're genuinely w...

Finding vulnerabilities in Swiss Post's e-voting system: part 3

Exactly two years ago I brought my blog back to life, after many years of hiatus, with " Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1 ". That was the first of a series of blog posts covering that system. During these two years I've been periodically assessing the security posture of this e-voting solution, as part of their Bug Bounty program , which I personally recommend. Since the first time I reviewed their codebase a lot of things have changed, for good, as many areas have been dramatically improved. To be honest, from a security perspective the codebase back then was kind of a mess. When the first Swiss Post e-voting platform was published, back in 2019, it faced some public scrutiny, mostly from the academic community. As a result, some significant issues were uncovered , so eventually Swiss Post decided to suspend the deployment of the system. That first version had been developed by Scytl , Spanish company specializ...

Beware of Java's String.getBytes

Sometimes there are subtle bugs whose origin can be found in some quirks from the underlying language used to build the software. This blog post describes one of those cases in order to let both fellow security researchers and developers, who didn't know about it, become aware of this potential vulnerable pattern. In fact, I'm pretty sure that similar bugs to the one herein described likely affect a bunch of products/codebases out there. In previous posts , I've already described some bugs in the Swiss Post's future E-voting system. While reading their Crypto-Primitives specification , which among other things describes the custom Hashing algorithm Swiss Post implemented, I noticed something potentially interesting. Basically, there are 4 different types that are supported: byte arrays, strings, integers and vectors. Before being hashed, strings are converted to a byte array via the ' StringToByteArray ' algorithm. However, by comparing ' StringToByteArray...

Finding vulnerabilities in Swiss Post's future e-voting system - Part 2

Earlier this year I published the Part I of this series of blog posts on vulnerabilities in Swiss Post's future e-voting system. That publication comprehensively explains the context, methodology and attack surface for the Swiss Post e-voting system, so it is highly recommended to go through it before reading this post, if you're really interested in getting the whole picture. This second round of bugs (reported during December '21 and January '22 ) includes multiple cryptographic vulnerabilities and a deserialization issue. For me, the most interesting issue is ' #YWH-PGM2323-65 ', not only because it would have prevented ballot boxes from being decrypted during the tally phase, but also due to the potential design weaknesses that I'm coming across as a result of its analysis. Let's briefly discuss the reported issues before going into detail: ID Title Reward (€) Attack Surface Areas* CVSS #YWH-PGM2323-53 Multiple unchecked length values during Saf...

-------------- Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings: We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores. Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted. From the beginning of “France Identite” program, it was decided to implicate cybersecurity communi...

Reversemode

Search This Blog