Tens of thousands of solar panel installations in the Netherlands and a million worldwide were vulnerable to sabotage.A Chinese company that supplies inverter monitoring software left a password for an online control panel lying around the internet.Malicious persons could have disabled the devices or modified the software, creating a fire hazard.The Dutch hacker Jelle Ursem discovered the password in April 2021. At that time, the login details had been publicly available online for more than a year and a half.Anyone who knew where to find them could access the administrator panel of the Chinese brand SolarMAN.Inverters are needed to convert generated electricity into usable electricity.Without these devices, solar panels are useless."A password that was accessible to everyone. We're not that stupid, are we?" says Aiko Pras, professor of internet security at the University of Twente."So it happens anyway. The mistakes are even dumber than you can imagine."Hacker Ursem notified the Chinese company last year, after which the password would be changed quickly.But when the ethical hacker tries to log in again with the old password in February this year, he just comes back in.It is very unprofessional that the Chinese company treats its security in this way, says professor Pras.In the online environment of SolarMAN you can see exactly where the inverters are located.In the Netherlands there are more than 40,000 places.Worldwide, this involves more than a million locations, mainly in China and Australia.It was also possible to download, adjust and upload the technical controls of the devices to the inverters, says Frank Breedijk of the Dutch Institute of Vulnerability Disclosure (DIVD) to RTL Nieuws."If you can adjust the software of the devices, you can do nasty things," says Georgios Smaragdakis, professor of cybersecurity at TU Delft.This way you could turn off the devices remotely.As a result, you can no longer use generated solar energy for your own home or feed it back into the power grid.Expensive solar panels are therefore useless.The Dutch Institute for Vulnerability Disclosure (DIVD) is an organization of hackers and security researchers who want to make the internet safer.They do this by informing companies and organizations about vulnerabilities present.In this case, the DIVD collaborated with the National Cyber ​​Security Center (NCSC) of the Dutch government.He contacted the Chinese authorities in February and April to reach the company behind SolarMAN.On July 2, the password was changed again and the page where it was online was removed.SolarMAN says in a response to RTL Nieuws that it was only aware of the matter at the beginning of July.If a malicious person controls enough inverters, it would also be possible to strain the power grid."With tens of thousands of devices, probably spread all over the Netherlands, it was difficult to really damage the power grid in this case," says Smaragdakis."You'll need hundreds of thousands for that."That does not mean that there was no danger."A hacker can adjust the security settings around the voltage in such a way that the thing catches fire," says Pras of the University of Twente.The Telecom Agency confirms the vulnerabilities mentioned.If devices are not properly secured, people can lose income from solar energy, among other things.The regulator also points out the risk of fire and, in the worst case, blackouts on the power grid."If the inverter is connected to your own WiFi network, a hacker can also shut down your internet," says the internet security professor."If you can completely reprogram an inverter, you can also break it or exclude the supplier," says Breedijk of the DIVD, who presented the case today on a stage at a hackers festival in Zeewolde."Actually, you can make the device dance to your liking."It is not the first time that equipment around solar panels has turned out to be vulnerable.In 2017, hacker Willem Westerhof showed at the same hacker festival that he could hack a German manufacturer of inverters."I then consciously went looking for a company that, in my opinion, would be the best secured," the hacker recalls."I wanted to show that the situation with the rest would probably be much worse."It won't be the last time, experts predict."It's naive to think that this is the only manufacturer that handles security unprofessionally," says Pras."There is a good chance that we will see this more often," says Smaragdakis of TU Delft."Next time it might be a hack of hundreds of thousands of devices."Smaragdakis: "Unfortunately, more and more devices are connected to the internet. That's where the problems start. Anyone from all over the world can connect to it.""That's the problem," says Westerhof."This shows that someone who can do a little Googling can suddenly get into our devices. That could be anyone who wants to cause damage. This is getting more and more dangerous."SolarMAN says in a response that the password only gave access to a test environment.Nevertheless, data from real customers could be seen there, such as the municipality of Vlissingen.He says that he has disconnected the inverters from the internet.The Chinese company confirms that it was indeed possible to upload its own software for inverters on the online platform, but indicates that there were additional safeguards to take control.As a result, it would not be possible to adapt the inverters.As far as is known, the incident did not cause any real damage and the leak has now been closed.SolarMAN indicates that it is working with the DIVD to make their products safe.Always know what's going on?Download the free RTL Nieuws app and stay informed.