Sunny WebBox Default Password and Denial of Service

Sunny WebBox (Shodan search) is an ICS device for data logging. According to the vendor page:

The Sunny WebBox is the ideal monitoring solution for medium-sized PV plants. It receives and stores current measured values and transmits data via RS485. This means you can stay updated on the status of your plant around the clock. In the event of a problem, you can react quickly and secure your yields. Parameters can be changed and a variety of measured values can be depicted, analyzed and downloaded via a web browser. All data from the connected devices is stored and automatically transmitted to Sunny Portal, if desired. The Sunny WebBox allows central access to your plant data on the Internet via Sunny Portal.

The user manual shows that it has a default password and a denial of service condition:

Logging in to the Sunny WebBox
Log in as “Installer”. The default password for the installer is: “sma”.

Many deployed devices just require a password not a username.

6.5 Logging in to the Sunny WebBox for the First Time
The Sunny WebBox distinguishes between 2 user groups: user and installer.
The two user groups are distinguished by two different passwords. If the password is the same for both user groups, you will be logged in as the installer.
In order to prevent two users making changes at the same time, only one user can ever be logged on to the Sunny WebBox at a time.

For a device deployed with Internet access this means that you can authenticate to the system and just keep your session active. That will keep any other user from logging on to use the device.

Tags: Defaults, Denial of Service, ICS