Balcony power plants: Threatening security gaps at Hoymiles

Hoymiles has now reacted and filled the gaps.

Advertisement

Serious security gaps in the cloud service of the Chinese photovoltaic manufacturer Hoymiles threaten several hundred thousand microinverters. The service, called “S-Miles Cloud”, offers the manufacturer’s customers yield monitoring and shows what the small photovoltaic systems are doing. This requires a “Data Transfer Unit”, DTU for short, called a radio bridge that is connected to the Internet, or a newer Hoymiles inverter with integrated WLAN.

An anonymous whistleblower who claims to be a security researcher contacted c’t via the investigative mailbox on Sunday last week and uploaded a 25-page document with detailed descriptions of the gaps. We were able to verify the editorial advice through tests on our own hardware.

The attack apparently unlocks access to all DTUs and inverters registered in the S-Miles cloud. This cannot be verified, but since Hoymiles provides the same two apps for all devices, it is likely that only one service is used. A query also showed that around 230,000 systems, each with at least one inverter, are currently connected to the service.

Users who do not read the inverter at all or use alternative bridges such as Ahoy and OpenDTU are not affected.

Many c’t investigative research is only possible thanks to anonymous information from whistleblowers.

If you are aware of an issue that the public should know about, you can provide us with information and material. Please use our anonymous and secure mailbox.

https://heise.de/investigativ

Danger of short circuit

During the course of his analysis of the cloud, the security researcher discovered several loopholes through which he could manipulate inverters in such a way that infrastructure was damaged and the inverter was destroyed. In the worst case, there is a risk to life and limb.

Among other things, it would be possible to deactivate NA protection and island protection. The NA protection ensures that the grid and inverter are disconnected if voltage and frequency limit values ​​are exceeded or fallen below. Island protection switches off the inverter if the grid connection is interrupted. This also prevents systems connected via a protective contact plug (Schuko) from posing a safety risk when unplugged; If you deactivate the function, there is a risk to life from open contacts.

If you use the gaps in a suitable combination, you can even manipulate the alternating voltage generation of the devices. It is also possible to permanently switch on all transistors. If this happens in mains operation, the resulting short circuit on the AC voltage side will destroy at least the inverter’s fuse – if not also its transistors. The whistleblower verified that this actually works with a low voltage.

Manufacturers have so far remained silent

In an email sent on Tuesday, we asked the Chinese manufacturer for comment. Although we contacted several company departments and wrote to a company technician and the Senior Sales Manager for Europe directly, we received neither an acknowledgment of receipt nor any contact made. c’t has already had difficulty establishing contact with Hoymiles in the past and there has been no smooth communication so far.

Users of Hoymiles DTUs should now disconnect the devices from the Internet as quickly as possible so that no more commands can reach the inverters via the cloud service. If you don’t want to miss out on yield monitoring, you should take a look at the alternatives Ahoy and OpenDTU. Ready-made devices can be purchased online. Since these are cloudless and manufacturer-independent firmwares, they are not affected by the vulnerability.

(amo)

To the home page
#Balcony #power #plants #Threatening #security #gaps #Hoymiles