The expansion of decentralized energy generation repeatedly reveals deficiencies in the IT security of market-leading hardware. The focus is again on the Chinese company Hoymiles, which, according to its own statements, serves around 20 percent of the European market for microinverters. These are installed in balcony power plants and smaller roof solar systems. Security researcher Benedikt Heinz, also known as Hunz, together with the Chaos Computer Club (CCC), has uncovered far-reaching security vulnerabilities: With simple means from the electronic junk box and little know-how, it is reportedly possible to manipulate, switch off, or permanently disable solar systems in the neighborhood while driving by.

  • jafffacakelemmy@mander.xyz
    link
    fedilink
    English
    arrow-up
    11
    ·
    16 hours ago

    My installers connected the solar inverter to the home WiFi. I soon fixed that by changing the WiFi password, but I also discovered that inside the inverter is a stange-looking metal sim card, very small, but thankfully removable. I removed it. No-one is mucking about with my setup! (Except me 😀)

  • grue@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    edit-2
    17 hours ago

    Why the Hell does a solar inverter have a wireless data connection at all to begin with? Insanity.

    If you’re installing solar anyway, you’re definitely running wires. So if equipment is “smart,” at least fucking hardwire the networking, damn it!


    Also what the fuck was that spammy website? It wanted to run shit on my computer to let me read the article. I thought Europe was supposed to prohibit that abuse!

    • Ghoelian@piefed.social
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 hours ago

      One use-case is people with dynamic energy contracts. You don’t want your solar panels to return power to the grid if the energy price is negative, because you’d pay for every watt returned. This way the energy provider can remotely stop the inverters if prices are negative.

      Though afaik the on-board connectivity is usually exclusively for the API the manufacturer’s app uses. There’s some energy providers in the Netherlands that use this API as well, but this is slow and sometimes unreliable. My employer also installs these panels+inverters, but we control them using modbus via a device we manufacture that you plug in to the modbus/control port. It connects to us via mobile 4g, because we don’t want to rely on the customer’s network (even when wired).

    • MaggiWuerze@feddit.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      16 hours ago

      Heise is we’ll known for their shitty consent or pay barrier, but they don’t want to “run shit on your computer”, they just want to track you and sell you to the highest bidder, or just anyone who throws a couple euros in their direction

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 hours ago

        Ah, I only skimmed their bullshit popup warning, saw a bunch of mentions of “processing,” and assumed they wanted to mine crypto or something.

  • HaraldvonBlauzahn@feddit.orgOP
    link
    fedilink
    English
    arrow-up
    31
    ·
    20 hours ago

    This isn’t an argument against solar technology - just an unacceptable level of IT security in safety-relevant technology and critical energy infrastructure.

    It’s already wrong that much of this stuff does not operate without cloud.

    • trampel@feddit.org
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      19 hours ago

      Well you kind of need the cloud in energy production tech if you want to keep the energy network stable. Otherwise the network operators can’t regulate the energy production during peak hours.

      But it’s crazy to me that stuff like inverters does not get penetration tested before being sold on the European market…

      • HaraldvonBlauzahn@feddit.orgOP
        link
        fedilink
        English
        arrow-up
        20
        ·
        19 hours ago

        Well you kind of need the cloud in energy production tech if you want to keep the energy network stable.

        Wrong for distributed local smaller generators. You can regulate them via AC frequency.

        It is also a bad idea because of a circular dependency: The Internet depends on a working electricity grid. The cloud needs the Internet to work. It is insane to make the electrical grid dependent from the cloud.

      • Waterpumpee@lemmus.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        19 hours ago

        I dont think much is tested at all b4 selling it in EU. Slap CE on it, has no meaning anyway. If your product causes harm, you have a small cash limited company as strawman.