512-bit RSA key in home energy system gives control of “virtual power plant”
When Ryan Castellucci recently acquired solar panels and a battery storage system for their home just outside of London, they were drawn to the ability to use an open source dashboard to monitor and control the flow of electricity being generated. Instead, they gained much, much more-some 200 megawatts of programmable capacity to charge or discharge to the grid at will. That's enough energy to power roughly 40,000 homes.
Castellucci, whose pronouns are they/them, acquired this remarkable control after gaining access to the administrative account for GivEnergy, the UK-based energy management provider who supplied the systems. In addition to the control over an estimated 60,000 installed systems, the admin account-which amounts to root control of the company's cloud-connected products-also made it possible for them to enumerate names, email addresses, usernames, phone numbers, and addresses of all other GivEnergy customers (something the researcher didn't actually do).
My plan is to set up Home Assistant and integrate it with that, but in the meantime, I decided to let it talk to the cloud," Castellucci wrote Thursday, referring to the recently installed gear. I set up some scheduled charging, then started experimenting with the API. The next evening, I had control over a virtual power plant comprised of tens of thousands of grid connected batteries."