The US Department of Homeland Security is warning of critical vulnerabilities in a computerized control system that attackers could exploit to sabotage or steal sensitive data from operators of the solar arrays that generate electricity in homes and businesses.

A slew of vulnerabilities in a variety of products, including the Sinapsi eSolar Light Photovoltaic System Monitor (Microsoft translation here) and the Schneider Electric Ezylog Photovoltaic Management Server, allow unauthorized people to remotely log into the systems and execute commands, warned the DHS-affiliated Industrial Controls Systems Cyber Emergency Response Team in a recent alert. Other vulnerable devices include the Gavazzi Eos-Box and the Astrid Green Power Guardian. Proof-of-concept code available online makes it easy to exploit some of the bugs.

The advisory is based on a report published last month that disclosed SQL injection vulnerabilities, passwords stored in plain text, hard-coded passwords, and other defects that left the devices open to tampering. According to researchers Roberto Paleari and Ivan Speziale, the vulnerable management server is incorporated into a photovoltaic products from several manufacturers. Paleari told Ars the flaws were uncovered after Speziale purchased a Schneider Electric Ezylog device for his home that used firmware version number 2.0.2736_schel_2.2.6b.

"All the firmware versions we analyzed have been found to be affected by these issues," the researchers wrote. "The software running on the affected devices is vulnerable to multiple security issues that allow unauthenticated remote attackers to gain administrative access and execute arbitrary commands."

The researchers said they released the report two weeks after sending at least two e-mails to the manufacturer and receiving no reply. Representatives from the four companies mentioned above didn't respond to e-mails requesting comment for this article.

Among the most serious vulnerabilities are bugs that make possible SQL injection attacks, which allow hackers to pass commands to a MySQL database connected to a Web interface. "Thus, attackers can easily leverage this issue to access the content of the SQL table that contains all valid username/password combinations (passwords are in plain text)," wrote the researchers.

The researchers also uncovered several pre-configured passwords, including the string "36e44c9b64," that are hard-coded into the server's PHP file. Typing one of these strings into the password field of the server's login panel will grant access regardless of the corresponding username that's entered. These passwords can't be changed or removed.

Justin W. Clarke, an expert in the security of industrial control systems, told Ars the vulnerable devices are used to manage small to mid-sized photovoltaic installations used in homes and businesses. In addition to providing monitoring capabilities, the devices can also allow users to control the solar equipment.

"If there's solar on a site that has a large-scale control system this is going to be sitting pretty close," said Clarke, who is a researcher with Cylance, a firm specializing in security of industrial systems. "So if this were at a factory and there were bigger control systems, I would not be surprised to see this in a position where you could exploit this device and then gain access to a protected control network."

Other vulnerabilities include command injection and broken session enforcement. The researchers included the following snippet of code, which they said allows an attacker to list the directory contents of a vulnerable machine:

curl "http:///ping.php?ping=ok" -d "ip_dominio=192.168.1.1 -n 1 %26 dir"

"As the POST parameter is used to build a command-line argument without being sanitized before [submission], attackers can leverage termination characters (e.g., '&') to execute arbitrary commands (e.g., "dir")," the researchers wrote.

As Ars has reported previously, the SCADA (supervisory control and data acquisition) systems that manage much of the nation's critical infrastructure are littered with similarly serious security bugs that have come to be called "forever day" vulnerabilities because their manufacturers have no intention of fixing them.

Last week's report came the same week that Defense Secretary Leon Panetta said the US power grid, transportation system, financial networks, and government all faced serious threats from foreign hackers. He identified possible adversaries as China, Russia, Iran, and militant groups.

"An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches," The New York Times quoted Panetta as saying. "They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country."