Rogue Communication Devices Found in Chinese Solar Power Inverters (reuters.com) 68
Gilmoure shares a report: U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. Power inverters, which are predominantly produced in China, are used throughout the world to connect solar panels and wind turbines to electricity grids. They are also found in batteries, heat pumps and electric vehicle chargers.
[...] Using the rogue communication devices to skirt firewalls and switch off inverters remotely, or change their settings, could destabilise power grids, damage energy infrastructure, and trigger widespread blackouts, experts said. "That effectively means there is a built-in way to physically destroy the grid," one of the people said, The two people declined to name the Chinese manufacturers of the inverters and batteries with extra communication devices, nor say how many they had found in total.
[...] Using the rogue communication devices to skirt firewalls and switch off inverters remotely, or change their settings, could destabilise power grids, damage energy infrastructure, and trigger widespread blackouts, experts said. "That effectively means there is a built-in way to physically destroy the grid," one of the people said, The two people declined to name the Chinese manufacturers of the inverters and batteries with extra communication devices, nor say how many they had found in total.
Sure, huawei is fine tho (Score:5, Insightful)
I can't wait to see the spin from our faithful CCP bots.
Re: (Score:2)
I can't wait to see the spin from our faithful CCP bots.
Expect a lot of "LIES!" in all caps.
Re:Sure, huawei is fine tho (Score:4, Insightful)
I can't wait to see the spin from our faithful CCP bots.
Dude, please, you need to at least ask questions. Like are these part of some management SoC and not used in some configuration of the hardware. Are the radios powered on, or are they a threat because some firmware update or some other trigger could enable them later. Do they even have antennas?
There's unlimited potential to be a threat, but it's stupid to not ask questions and understand the actual threat if we have something concrete.
Re:Sure, huawei is fine tho (Score:5, Informative)
Sure, industrial infrastructure commonly has remote monitoring and administration capabilities. Grid storage systems for example have to monitor battery and inverter health. EV chargers can often communicate to determine the most economical charge times.
In this case the devices included cellular radios that could bypass site network administrators completely. Again this is not necessarily nefarious, because there are legitimate use cases for this.
But if the capability is there, it should be shipped totally disabled unless the customer requests otherwise. A competent engineer could determine whether that's the case. Even if the cellular modem isn't provisioned with a data carrier, if it is operational an agent with national means could communicate with it stingray style. If it is physically possible for an unauthorized person with knowledge of the system to gain control of this equipment, somebody has some explaining to do.
Re: (Score:2, Troll)
I thought of provisioning as an obstacle, but it's not necessarily a difficult one for an actor with "national means" to overcome. Most likely none of the low-cost service providers who provide service for things like GPS trackers would bat an eye if you had a shell company set up a few hundred or even a thousand devices. Just tell them you're doing vehicle tracking or something like that. China's MSS could even set up a bogus cell tower near their target sites, stringray style. The main target of such
Probably just comms for power monitoring (Score:2)
The decision to label these devices "rogue" communication devices says more about the xenophobic paranoia of the US agency reporting these as such than it does about the Chinese renewable energy industry.
Re: (Score:1)
Yep, looks like this week's yellow bogeyman story. Stories of unnamed devices found in unnamed panels coming from an unnamed source are great for scaremongering, until you realise they're at about the same level as the magic spy capacitors on Supermicro server boards from a few years back.
Quite apart from the overall bogeyman nature of the story, if you're going to put spy devices in something why would you put them in solar panels? What are they going to report back to their evil CCP overlords, "sun is
Re: (Score:1)
Yeah.... not all slaves realized they're enslaved.
Why not state which ones? (Score:4, Informative)
Re:Why not state which ones? (Score:5, Insightful)
I'm of two minds on this. On one hand, if you identify the company, yes, people will know what to look for and can either replace the inverter or get a whole new panel.
On the other hand, by identifying the company, you've tipped them off that you know what they did and the company will try to find a different way to do the same thing.
On the other other hand, by not identifying the company this keeps China in the dark about which ones were found and allows time for companies to look for the same thing in other brands. If it turns out it's only these two brands then you can ban them from use. But if you find this commonality among a range of Chinese brands, you can use that as direct evidence of government involvement.
Re:Why not state which ones? (Score:4, Insightful)
Re: (Score:3)
It could also be that the investigation continues into other brands.
Re: (Score:3)
This assumes only one Chinese firm has been doing this, and said Chinese firm knows they are the only one doing this, then yes, the jig is up.
But if it's multiple firms doing this, and they don't talk to each other about doing this, then there is still a bit of question in the air.
Re: (Score:3)
Yeah...but it also assumes that it actually ever happened. If nobody can check, nobody can validate. That lets them say anything they feel like.
If the government were more honest and trustworthy I might cut them some slack. As it is...my default assumption is that it's a lie.
Re: (Score:1)
Re: Why not state which ones? (Score:2)
Mine can't because i removed the radio board onstar uses (not just the antennas). No ota updates...no remote access to anything. My phone via android auto handles infotainment. As god intended (since there is no aftermarket for such 'head units' anymore).
Re: (Score:2)
On the other hand, by identifying the company, you've tipped them off that you know what they did and the company will try to find a different way to do the same thing.
Wouldnt the companies already know that their devices have been found just by the announcement that they had been found? Why would they need their brand name announced to figure that out?
If they're aware these devices were on their product then they're aware that theyve been caught in the act now.
Re: (Score:1)
Do you think China is going to send out ninjas to disappear offending products from other brands? Or is NOT going to send out ninjas just because ANONYMOUS_TIPSTER failed to name specific names?
The only reasons for witholding details are a) you don't want to get sued and b) the details aren't nearly as interesting as the vag
Re: (Score:2)
Re: (Score:2)
It's not a certain answer.
Re: (Score:3)
Yea, this. Plus they need to spell out what we're looking at, mostly everything nowadays wants some wifi connection and an app, and will most likely leak at a minimum everything you are doing with the device, plus what it can see around, your wifi password and so on. Also it'll have autoupdate ota capabilities enabled by default, so it can literally do anything they might want it to do at some point including to attack other machine, bound only by its hardware capabilities.
Re: (Score:2)
Re: (Score:3, Insightful)
Evidence is needed, period. We did this not too long ago: big headlines about mystery chips from China in server hardware, subsequently debonked as fake news.
Independent, third party corroborated analysis, with names of people that matter attached, saying stuff in a full throated manner. If these leaks get us there then that's great, but until SECDEF or POTUS is standing in front of a camera with a device in hand, flanked by NSACIAFBI people, I'm not paying attention.
Re: (Score:3)
We did this not too long ago: big headlines about mystery chips from China in server hardware, subsequently debonked as fake news.
And if you don't believe that can happen, I have a GREAT deal on pagers and walkie talkies for you! (For references, call Hezbollah.)
Re: (Score:2)
I believe it has happened. Given all the countless gear that has been manufactured under the thumb of the CCP/PLA, I'm absolutely certain there are real backdoors in Chinese made equipment and that has already been installed in Western infrastructure. The US did exactly this to Russia on more than one occasion. It would be almost irresponsible for China not to do exactly the same thing; they're practically obligated to do it, and not doing it would be weird.
All that being said, until you can rub my nos
Re: (Score:2)
Yes, it *can* happen, but as far as anyone can possibly tell, it didn't happen in the SuperMicro case. And the way the article described it was actually utterly impossible (they claimed a surface mount capacitor about the size of a pencil led was a spy chip, but that just can't work even in theory).
In this scenario, I wouldn't be surprised if a chip included otherwise happened to have WIFI capability, because it's easy to get an SoC with that integrated, even if the product goal is to not bother. Especially
Re: (Score:3)
If you're expecting real journalism in the US these days, I have some very bad news for you. Or maybe a bridge to sell you, depending on my personal ethics.
Re: (Score:2)
As far as I know, the followup was the industry at large finding nothing to back up their story, a lot of head scratching what the story could be, and one of their sources coming forward and basically explaining how the article writers had no idea what they were doing and completely misunderstood their conversations with him.
No one ever came forth with the explanation of the specific allegation about supermicro, but they botched their general research so bad it's hard to imagine they somehow managed to stum
Re: (Score:2)
Yeah, every intelligence agency, investigation, every company and organization supposedly victimized, research sources... All came forward saying it's completely bogus.
The lack of retraction and in fact publishing a second article doubling down and the complete lack of accountability for it is a good example of how screwed up the "security research" ecosystem is. Bloomberg completely boffed it in every possible way, never retracted, and Supermicro wouldn't dare risk the negative press of legal action to ge
Re: (Score:3)
It sounds like a planted psyop story by the MIC, pissed that they can't bomb Iran. Reuters is a tell as well as the lack of detail.
If there really are cellular modems in them, did they have SIM cards or eSIM's?
If so did they run the ICCID through the carriers and see who was paying to have them active?
Then follow the money. Any natsec investigator would have done these very basic steps.
Those would be in a real article.
If all of those lead to a PLA front group then we can call in to Houston with a problem. B
Re: (Score:2)
All industrial equipment over a certain dollar value now comes with some type of remote access equipment, often with the option of specifying different variants. It costs almost nothing for the equipment. It costs something like $3,000 dollars to send someone to a random destination and fix something. If the person needs to go to site, determine the cause of the problem, return home, and then fly back with the spare part, it costs $6,000.
A cell modem remote communication device pays for itself on the fi
Re: (Score:2)
Re: (Score:1)
Stoppit stoppit! My tankman is about to spew!
put up or fuck off (Score:1)
They won't name them? Lying fucks begging for attention.
is it really a bad thing? (Score:2)
Re: (Score:2)
To be fair, if they're being that honest, it could be both. Many things don't just have a single effect. And what the purpose is then depends on what the purpose of the user is.
OTOH, I expect it will turn out to be mainly a lie. The current administration is so known for its honesty.
Ubquitous (Score:2)
I don't know how malicious this is, or if China can exploit it, or even any hackers in general. The thing is, in this day and age many microcontrollers contain "communication devices" built in, whether they are needed or used. Like ESP32 microcontroller modules, that only cost a couple bucks each, have WiFi and Bluetooth built in.
There's strong incentive to use cheap generic microcontrollers for most anything like this now, and it's usually cheaper to use some generic mass-produced thing with extra capabili
Re: (Score:2)
Re: (Score:2)
Or it's a feature of a more expensive model and it's on the board but not used in the cheaper one.
Re: (Score:2)
I've designed many devices that are like this. Bluetooth especially is quite cheap now and it often comes with hardware chosen for other reasons. It wouldn't save any money to remove it. And if there's no money to be saved, there's no option to do it.
I'm at a trade show right now where we've built a device, functioning prototypes at this point, with an unused BT interface. It's got a cell modem, which was intentional and is used. And there's wifi, which isn't really an intended user facing product feat
Orly? (Score:1)
Okay, well fuck you then. Are they trying to cover for them? BURY THEM.
Re: (Score:2)
Okay, well fuck you then. Are they trying to cover for them? BURY THEM.
Or they are trying to cover their own asses. This could be the classic "unnamed sources" leak. They might not have authorization to speak publicly.
Or they are busy unloading their shares in the companies.
So what? (Score:2)
If the hardware has comms devices in it - even ones deliberately implemented in the hardware at the direction of the MSS - that's kind of just a waste of China's effort if the hardware isn't plugged in to a communications network.
But if your stuff DOES plug into a communications network, then presumably you're connecting a data cable or giving it a WiFi password. And you want it to connect.
So either it's nothing, or it's something you want - but probably somebody should be looking at which servers it calls
Re: (Score:2)
A cellular radio is useless without the ability to connect to a network. If there's a cellular network around that is accepting traffic from unregistered Chinese spy devices and routing it to China... you have a MUCH bigger issue than the device in the battery, you have compromised telecommunications infrastructure.
Re: (Score:2)
To be fair, the US does have a compromised telecommunications infrastructure.
Re: (Score:2)
I am skeptical of this story because it's usually bad journalism making something of nothing, but for this sort of equipment just kind of hanging out in otherwise open fields, one could easily imagine the ability to make long range wireless connections in a clandestine way. We have LEO satellites connecting to cell phones now.
Destabilise power grids (Score:3)
How can we differentiate between a Chinese attack and our local utilities normal operations?
Re: (Score:1)
One is planned spying & control, the other is just stupidity.
Undocumented != Nefarious (Score:2)
I can't help but note that no where in TFA does it mentioned that the researchers determined these devices were active or in any way connecting to something, just that they exist. They even note their own fearmongering saying the only issue here is one of documentation and nothing else.
I will bet a Marsbar this is nothing more than providing a standard product for economy of scale. Likely the same board is used by another manufacturer who does offer it with cellular otherwise remote access as a listed featu
Where have I seen this before? Hmmmm? (Score:2)
All your power are belong to us!
Not worried (Score:2)
Rogue Communication Devices Found in Chinese Solar Power Inverters
It's the ones from Hack [wikipedia.org] that'll really get you, not Rogue [wikipedia.org]. :-)
you have a feeling of loss ... (Score:3)
everything looks SO boring now!
Two people? (Score:2)
The only source cited for this story is "two people who declined to be named." No mention of what kind of agency or authority they came from. This is either crappy journalism, a plant, or AI. Maybe all three.
Re: (Score:2)
Welcome to the norm of security reporting. Very engaging to cry wolf and there are never any bad consequences for crying wolf.
There's a chance they did find something, and if there were more actionable detail provided I'd be interested in followups. However this has played out so many times and 95% of the time it's a bogus security story, so I am now inclined to disbelieve these stories by default.
All of the above and... (Score:1)
why did these "U.S. Energy officials" decided to take the story over to some Reuter journalist in London and there's no firsthand coverage in any US news outlet?