The recent incident involving the energy management system from Givenergy has highlighted the risks associated with relying on outdated cryptography methods in today’s infrastructure. Researcher Ryan Castelcucci, who was installing solar panels and an energy storage system at his home, unexpectedly gained control of about 200 megawatts of power, equivalent to the energy supply for 40,000 households.
Following the installation of the equipment, Castelpucci decided to test the Givenergy API in order to integrate the system with his home assistant, according to reports. The experiment yielded surprising results: by gaining access to the Givenergy administrative account, the researcher was able to manipulate tens of thousands of batteries connected to the network, effectively creating a virtual power station.
Access to the administrative account not only enabled Castelcuff to control the system, but also potentially granted him access to personal data of Givenergy customers, including names, email addresses, and phone numbers. With access to approximately 60,000 systems installed, the researcher had ROOT access over the company’s cloud-connected products, but he asserts that he did not exploit this data during his experiments.
Initially intending to configure a Smart Home system and integrate it with a cloud service, Castelcucci was surprised to find himself in control of a large number of networked batteries while experimenting with the software interface.
The breach in security was attributed to the use of an outdated RSA 512-bit key to secure the software interface, a key that essentially serves as a master key for the system and proved vulnerable to hacking. Castelpucci successfully factored the private key across the entire API for just $70 in cloud computing costs and less than a day.
It is worth noting that 512-bit RSA keys have been considered unreliable for over two decades. The first reported case of factorization of such a key dates back to 1999, when an international team of researchers required seven months with a supercomputer and hundreds of ordinary computers. Since then, advancements in technology have significantly reduced the resources and time needed for such an operation.
Castelcucci emphasized that the root of the issue goes beyond Givenergy developers and lies with the creators of cryptographic libraries used by programmers.