Omnik solar inverters contain severe security holes, leaving them susceptible to DNS rebinding attacks
A security researcher has demonstrated how DNS rebinding attacks can be used to compromise private WiFi networks through connected solar panel equipment.
On March 1, Torben Capiau described in a blog post how a 2019 DEF CON talk on DNS rebinding provided the inspiration for him to try out similar attacks on his home network.
After selecting his Omnik [non-HTTPS link] solar panel inverter’s web interface as a target, Capiau found that performing DNS rebinding was all too easy, opening up potentially thousands of similar home installations to attack.
What is DNS rebinding?
DNS rebinding turns a browser into a conduit to attack private networks. After visiting a malicious link or being served malvertising, for example, attackers can bypass firewalls to compromise a victim’s browser and use it as a proxy to communicate with devices on a private network.
This is achieved through luring a victim to visit an attacker-controlled domain, of which the IP address has been changed after malicious JavaScript has been loaded, tricking browsers into communicating with the wrong servers and bypassing same-origin policies.
So what?
Ultimately, this can lead to devices that rely on Universal Plug and Play (UPnP) and HTTP-only communication behind a firewall becoming remotely compromised.
Researchers expect this form of attack to become more popular over time, as botnet operators attempt to seize low-hanging fruit in the form of IoT devices, such as thermostats, lighting, and appliances.
DNS rebinding has made it into PortSwigger Web Security’s Top 10 Web Hacking Techniques of 2019, as voted for by the infosec research community.
In Omnik’s case, this technique was possible as default credentials – admin/admin – were in place.
To make matters worse, the open WiFi access point used for the initial setup was not disabled, leading Capiau to assume that there are likely to be many installations out there with the same basic security problem.
Proof of concept
In order to perform the DNS rebinding attack, Capiau purchased a cheap domain and server, changing the DNS records before cloning the Singularity GitHub repo that was used in the DEF CON demonstration to his server.
After writing and deploying JavaScript exploit code, Capiau tested the attack against his solar inverter.
In tests, it took between 14 seconds and 1 minute 20 seconds to fetch his WiFi SSD and password credentials in plaintext. It was also possible for the attack to be used to tamper with the inverter’s firmware and upload malicious code.
“The exploit can be automated by either guessing the local IP range of a visitor and scanning for running websites in that range using JavaScript or by using a local IP leaked by WebRTC and scanning the /24 range of that IP,” Capiau noted.
Fully charged
The solar inverter Capiau used was one of 12,000 solar panel setups offered through a local scheme in Belgium.
It is not known how many devices in total are impacted internationally.
Capiau says that the DNS rebinding issue is just one of a “ton of security issues” in the Omnik solar panel web interface.
“The open WiFi network for initial configuration was never disabled and default credentials were never changed,” Capiau says.
“I can drive up to anyone’s house who I know has one of these inverters, connect to the open network, navigate to the inverter's webpage, sign in with default credentials and view your WiFi credentials.”
It is not clear at the time of writing whether or not the security issues have been resolved.
In the meantime, it is recommended that owners of Omnik inverters change their passwords and disable any initial WiFi network configuration is disabled.
The Daily Swig has reached out to Omnik with additional queries and will update when we hear back.