Mitsubishi Electric EcoGuideTAB Photovoltaic System Monitor Weak Password Vulnerability

A vulnerability allowing password derivation from the SSID has been identified in the Mitsubishi Electric EcoGuideTAB photovoltaic system monitor, specifically in the models PV-DR004J and PV-DR004JA, all versions. This vulnerability arises from weak password requirements, enabling an attacker within Wi-Fi range (approximately 10 meters) between the measurement and display units to extract the password. The issue is inactive when the display unit's LCD is off for over five minutes, as the product then enters power-saving mode. The affected products were discontinued in 2015, with support ending in 2020.

Impact

Exploitation of this vulnerability could lead to unauthorized access to information such as generated power and electricity sold back to the grid, stored in the product. Additionally, it could allow tampering with or destruction of stored or configured information, or cause a denial-of-service condition on the product.

Remediation

Mitsubishi Electric has ceased support for the affected products. Users are advised to discontinue use or implement measures to minimize the risk of exploitation, such as preventing unauthorized access to the product's Wi-Fi communication range and turning off the display unit when not in use.