The expansion of decentralized energy generation repeatedly reveals deficiencies in the IT security of market-leading hardware. The focus is again on the Chinese company Hoymiles, which, according to its own statements, serves around 20 percent of the European market for microinverters. These are installed in balcony power plants and smaller roof solar systems. Security researcher Benedikt Heinz, also known as Hunz, together with the Chaos Computer Club (CCC), has uncovered far-reaching security vulnerabilities: With simple means from the electronic junk box and little know-how, it is reportedly possible to manipulate, switch off, or permanently disable solar systems in the neighborhood while driving by.
My installers connected the solar inverter to the home WiFi. I soon fixed that by changing the WiFi password, but I also discovered that inside the inverter is a stange-looking metal sim card, very small, but thankfully removable. I removed it. No-one is mucking about with my setup! (Except me 😀)
Why the Hell does a solar inverter have a wireless data connection at all to begin with? Insanity.
If you’re installing solar anyway, you’re definitely running wires. So if equipment is “smart,” at least fucking hardwire the networking, damn it!
Also what the fuck was that spammy website? It wanted to run shit on my computer to let me read the article. I thought Europe was supposed to prohibit that abuse!
One use-case is people with dynamic energy contracts. You don’t want your solar panels to return power to the grid if the energy price is negative, because you’d pay for every watt returned. This way the energy provider can remotely stop the inverters if prices are negative.
Though afaik the on-board connectivity is usually exclusively for the API the manufacturer’s app uses. There’s some energy providers in the Netherlands that use this API as well, but this is slow and sometimes unreliable. My employer also installs these panels+inverters, but we control them using modbus via a device we manufacture that you plug in to the modbus/control port. It connects to us via mobile 4g, because we don’t want to rely on the customer’s network (even when wired).
Heise is we’ll known for their shitty consent or pay barrier, but they don’t want to “run shit on your computer”, they just want to track you and sell you to the highest bidder, or just anyone who throws a couple euros in their direction
Ah, I only skimmed their bullshit popup warning, saw a bunch of mentions of “processing,” and assumed they wanted to mine crypto or something.
This isn’t an argument against solar technology - just an unacceptable level of IT security in safety-relevant technology and critical energy infrastructure.
It’s already wrong that much of this stuff does not operate without cloud.
Well you kind of need the cloud in energy production tech if you want to keep the energy network stable. Otherwise the network operators can’t regulate the energy production during peak hours.
But it’s crazy to me that stuff like inverters does not get penetration tested before being sold on the European market…
Well you kind of need the cloud in energy production tech if you want to keep the energy network stable.
Wrong for distributed local smaller generators. You can regulate them via AC frequency.
It is also a bad idea because of a circular dependency: The Internet depends on a working electricity grid. The cloud needs the Internet to work. It is insane to make the electrical grid dependent from the cloud.
I dont think much is tested at all b4 selling it in EU. Slap CE on it, has no meaning anyway. If your product causes harm, you have a small cash limited company as strawman.
This is well known in the US and have been found in much larger inverters.



