An issue was discovered in SMA Solar Technology products. All inverters have a very weak password policy for the user and installer password. No complexity requirements or length requirements are set. Also, strong passwords are impossible due to a maximum of 12 characters and a limited set of characters. NOTE: the vendor reports that the 12-character limit provides a very high security standard. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sunny_boy_3600_firmware | Sma | - (including) | - (including) |
A product’s design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.