Electryone: In the land with no sun
02-11, 11:15–12:00 (UTC), Track 1- Dragon Suite

During this talk, we will see that many photovoltaic (PV) inverters suffer from typical "rush to market" problems that can introduce weaknesses and potentially allow a remote attacker to fully control or brick them.

Targeting an installer cloud means that a successful attack would give elevated access to the inverters , including functions not accessible to PV’s owners.

In this talk we are going to review how attacking a PV installer cloud could lead to taking hundreds of thousands of inverters offline and introduce instability into countries’ power grids.

All attacks are remotely exploitable and a result of logic flaws introduced by the web portals’ developers. Those logic flaws vary from simple Insecure Direct Object References (IDORs) to self-promoting your user to platform admin.

Vangelis is a developer as well as Senior Penetration Tester. His research is mainly in API and web application security.

His academic research is focused on machine learning and the development of proactive web application security.

During his free time Vangelis helps start-ups secure themselves on the internet and get a leg-up on security.

During the past years he has published research regarding API control functions for ships, smart locks, IP cameras, EV chargers and many other IoT devices.