512-bit RSA key in home energy system gives control of "virtual power plant"
Ryan Castellucci discovered a vulnerability in GivEnergy's system, allowing access to a 200 MW virtual power plant. GivEnergy fixed the issue within 24 hours, highlighting risks of outdated cryptographic standards.
Read original article
Ryan Castellucci recently discovered a significant security vulnerability in GivEnergy's home energy management system, which allowed them to gain unauthorized access to a virtual power plant with 200 megawatts of capacity, enough to power approximately 40,000 homes. This access was achieved through a 512-bit RSA key used for authentication, which Castellucci was able to factor for just $70 in cloud computing costs within 24 hours. The vulnerability stemmed from the use of an outdated cryptographic key size, which is considered insecure. GivEnergy quickly addressed the issue after Castellucci disclosed it. The incident highlights the risks associated with relying on third-party code libraries that may include insecure cryptographic options. GivEnergy acknowledged that the problematic encryption method was inherited from a third-party library used during their early development stages when the company had limited resources and expertise. The situation underscores the importance of regular security reviews and updates in software development.
- Ryan Castellucci exploited a 512-bit RSA key vulnerability in GivEnergy's system.
- The breach allowed control over 200 MW of energy capacity, equivalent to powering 40,000 homes.
- GivEnergy fixed the vulnerability within 24 hours of disclosure.
- The incident emphasizes the risks of using outdated cryptographic standards.
- GivEnergy's response highlights the need for ongoing security assessments in software development.
Related
R1 jailbreakers find security flaw in Rabbit's code
A group of R1 jailbreakers discovered a security flaw in Rabbit's code, exposing hardcoded API keys. Rabbit took action after a month, revoking most compromised keys. The breach complicates Rabbit's recovery from R1 AI gadget issues.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
How to pwn a billion dollar VC firm using inspect element
A security researcher found sensitive data from VC firm a16z exposed on their website. Despite the potential risks, a16z didn't offer a bug bounty. The incident stresses the need for responsible disclosure and robust security practices.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Hacking a Virtual Power Plant
Ryan Castellucci identified vulnerabilities in GivEnergy's API related to a 512-bit RSA key, allowing unauthorized access. GivEnergy promptly upgraded to a 4096-bit key, emphasizing the need for secure cryptographic practices.
0 commentsRelated
R1 jailbreakers find security flaw in Rabbit's code
A group of R1 jailbreakers discovered a security flaw in Rabbit's code, exposing hardcoded API keys. Rabbit took action after a month, revoking most compromised keys. The breach complicates Rabbit's recovery from R1 AI gadget issues.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
How to pwn a billion dollar VC firm using inspect element
A security researcher found sensitive data from VC firm a16z exposed on their website. Despite the potential risks, a16z didn't offer a bug bounty. The incident stresses the need for responsible disclosure and robust security practices.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Hacking a Virtual Power Plant
Ryan Castellucci identified vulnerabilities in GivEnergy's API related to a 512-bit RSA key, allowing unauthorized access. GivEnergy promptly upgraded to a 4096-bit key, emphasizing the need for secure cryptographic practices.