DEMAND SECURITY from equipment manufacturers!

[Koyaanisqatsi]

I'm calling out any manufacturer that does the following well-known, dangerous and irresponsible things with their products.

As the users who will ultimately pay the price of BAD SECURITY, we must DEMAND that manufacturers take responsible actions to PROTECT THEIR CUSTOMERS from security breaches, as it relates to the hardware and software provided by the manufacturer/vendor.

I encourage readers to tag forum users who work for manufacturers and vendors of equipment and software, so they are aware of this egregious problem.

1. Failure to ship products with all remote access features disabled at the factory.
2. Failure to allow the user to enable/disable remote access when needed.
3. Failure to force the user to change the admin and/or remote access password, and require a strong password, during first-time setup.
4. Failure to use strong encryption that has no known backdoor for all data in transit, and in remote storage.
5. Failure to use industry accepted secure connections between any two points, especially to the cloud. I.e.: HTTPS with TLS1.3 or better.
6. Failure to require strong passwords and offer MFA to access cloud services.
7. Failure to allow changing the access key that enables cloud communication from the device.
8. Failure to provide a factory reset button, so that the hardware can still be used if the admin password is forgotten/lost. But all data, passwords and access keys are wiped from the device.

These are FAILURES of the manufacturer. If you FAIL TO PROVIDE RESPONSIBLE SECURITY FEATURES, you are FAILING YOUR CUSTOMERS.

There is NOTHING that justifies any of these failures. Any manufacturer who does not meet these requirements is being negligent, malicious, irresponsible, and many other words that describe an entity that is not doing their job and it's dangerous to the customers. And they should be held accountable for their incompetence.

"Any sufficiently advanced negligence is indiscernible from malice."

 

[400bird]

While I agree what what you've said from a security perspective, how do you respond to the random masses who want simple or automatic or can't figure out how to remember their email password, let alone change an admin password?

How many times to you hear praises for, "it just works out of the box, no settings to mess with!"

I'm with you, but many consumers are lazy and can't be bothered to figure out how to do anything or why things work the way they do.

Edit: I reread your post, I guess only 1 and 3 would offend my theoretical lazy consumers.

"Any sufficiently advanced negligence is indiscernible from malice."

I like this quote, I'm stealing it.

 

[455dan]

While I agree what what you've said from a security perspective, how do you respond to the random masses who want simple or automatic or can't figure out how to remember their email password, let alone change an admin password?

How many times to you hear praises for, "it just works out of the box, no settings to mess with!"

I'm with you, but many consumers are lazy and can't be bothered to figure out how to do anything or why things work the way they do.

Edit: I reread your post, I guess only 1 and 3 would offend my theoretical lazy consumers.


I like this quote, I'm stealing it.

Nice twist, Also Thanks to Arthur C. for the original and all the great books he wrote.

 

[BarracudaBob]

All these companies want everything to be connected to the grid where they are in the path. Keep your information, can upload firmeware when they want to, and when hacked and your info goes out on the web.. Oh well.

Your home is open to foren goverments... 1984 Scary

 

[ruralsolar]

All these companies want everything to be connected to the grid where they are in the path. Keep your information, can upload firmeware when they want to, and when hacked and your info goes out on the web.. Oh well.

Your home is open to foren goverments... 1984 Scary

Knowledge is power. If any AI provider wanted a treasure trove of natural language about solar and battery "everything", they would only need to scan this whole forum. Companies though want to know when you're running/consuming something so they can better optimize their content and when to shove it in your face with a notification or be able to charge you more for it during the time you've always done it.

As for security, while my home does have "smarts" that are usable through an internet connection, those smarts will keep working if the internet is not available. If I had any concerns I could disconnect it all from the internet.

 

[Koyaanisqatsi]

While I agree what what you've said from a security perspective, how do you respond to the random masses who want simple or automatic or can't figure out how to remember their email password, let alone change an admin password?

How many times to you hear praises for, "it just works out of the box, no settings to mess with!"

I'm with you, but many consumers are lazy and can't be bothered to figure out how to do anything or why things work the way they do.

We can't allow security to become lax just for people who aren't good enough with the subject matter to use a device. They should be working with a professional if that is the case. Everything about solar is dangerous. But in reality, it's almost always a decision being made by an executive to shave costs. Doing real security in software takes effort and brains, both of which are more expensive than not doing it. And they incur no liability behaving that way. I'm trying to make it their liability, instead of letting their customers burn.

I like this quote, I'm stealing it.

I got that from a coworker several years ago.

 

[Lawrence_SoCal]

1. I agree on vendors needing to do MUCH better
2. but, Customers have to demand it, and they won't. Too many users go for cheap, and quality software design, testing, and on-going updates is expensive.
The old Project Mgmt adage .. of the qualities Good, Fast, & Cheap - pick 2... typical consumers go for convenient and cheap... then whine when quality is bad... dealing with such folks is where id10t, pebkac, etc came from

For example,
-Or people complaining about security & privacy, but posting vacation plans on Facebook
- how long has TP-link been known to do bare minimum on network product firmware, using outdated, known vulnerable open-source s/w, then when an exploit gets around, claims device is out of warranty and won't be updated.... What 15+ years.... and still they sell a lot. stupid users. I won't be surprised if similar open-source library vulnerability issues exist networked smart home energy systems

At this point, look at the struggles a company like EG4 has, selling a a LUX power unit, with their own slightly tweaked firmware, but which EG4 doesn't appear to be subject matter experts in. Folks clamor for functionality, and limited use-case support, not security, and really, EG4 struggling to get a handle on functional bugs (an order of magnitude higher priority for its users and therefore the company, vs security issues. They are just tryign to get stuff to work) ... So, until users are willing to pay for quality architecture and design, I don't see it happening. And I'm not picking on EG4 as others in same situation ... nature of the industry/business. And I love the price and features of certain EG4 products, that force other companies to compete and offer better value.
But, look at all the people buying products that depend on cloud for basic functionality... with products that would diminish in functionality (if not outright stop working) if/when company goes out of business. And we have decades of experience with such companies going out of business... but still users persist

So, a small portion of us know better. I see this issue as one more of user education. I recall a thread this year from a overseas Deye user complaining about missing functionality the product never advertised... real issue - user didn't do their homework before purchase. Call me jaded, but I've reached the point of being low sympathy for stupid user tricks. In my mind, the phrase 'Caveat Emptor' rings as true now as ever. To me, how the collective 'we' can help is documenting and publishing various criteria (function, security, etc) for consumers to consider before purchase, to enable informed decisions.

 

[Koyaanisqatsi]

These aren't TVs or Instant Pots. We're dealing with dangerous power electronics that can - and will - literally kill you (and it will hurt the whole time you are dying). If something like managing a password is difficult for you, you have no business trying to configure an inverter. And again, manufacturers are being both dangerous and irresponsible, trying to make such a dangerous device usable for someone who really shouldn't be working with them. Electrical is not for the masses to touch. It's for those who know or are professionals in the field.

The struggles of a company are their problem to work out. And if/when they do, it should never be at the expense of their customers. That's just bad leadership. It's bad people running the company.

 

[Offgrid Jungle]

I can't even get EG4 to respond to my demands to let me add additional users to MY inverter. "It's reserved for factory support and installers" is a BS response.

 

[upnorthandpersonal]

Just buy equipment that doesn't need an internet connection? Victron is a good example. Sure, you can connect it, but you don't have to. Usually the supplier will be able to configure it exactly per your needs and it will never need to connect to the internet. There is plenty of equipment out there that doesn't need it. I run a Chinese inverter and charge controllers and they don't even have the option to connect to the internet, but you can monitor them locally and expose a Grafana dashboard or something if you want to - it's just up to you to build it.

 

[rhino]

Just buy equipment that doesn't need an internet connection? Victron is a good example.

Plus Victron probably has the most extensive/thorough security of any of the systems even if you do connect it to the internet. It's probably easier to simply recommend which companies are producing products that ARE taking security seriously since there are far fewer of those.

 

[rhino]

One example is is there any other company that supports 2fa (two factor authentication) for your online account besides Victron? Seriously would like to know.

 

[Koyaanisqatsi]

I can't even get EG4 to respond to my demands to let me add additional users to MY inverter. "It's reserved for factory support and installers" is a BS response.

Agreed! Either make it so that there is a credential for low-level access and one for high-level access. Or implement at least a simple user management system. And this should always be owned by the user, not the manufacturer!

Just buy equipment that doesn't need an internet connection? Victron is a good example. Sure, you can connect it, but you don't have to. Usually the supplier will be able to configure it exactly per your needs and it will never need to connect to the internet. There is plenty of equipment out there that doesn't need it. I run a Chinese inverter and charge controllers and they don't even have the option to connect to the internet, but you can monitor them locally and expose a Grafana dashboard or something if you want to - it's just up to you to build it.

Also agree! I'm most likely going with Victron myself. But I did also seriously consider Midnight Solar, Sol-Ark and Schneider, because of their lack of Internet requirements, and good security in the parts they do allow/provide in the cloud.

 

[Lawrence_SoCal]

there is the old adage... 'don't ascribe to malice that which is more easily explained by stupidity'. And if you think companies should provide certain features regardless of cost impact and customer stated desires... then we are in profound disagreement about healthy societal design, and aren't likely to agree on much of anything significant.

Now if you are arguing that much of the DIY market on these boards is filled with people not qualified to working on this type of equipment...
Are you arguing that most of these DIY friendly inverter products discussed on these boards either shouldn't exist, or end-users should be blocked from self-installing?

I agree with post title of end users demanding these features. I agree customers should demand much of what you mention, and more .. and not purchase until they've done their research and purchase only from companies that have a history of providing what features desired and doing the right thing. easy peasy .. problems solved REAL quickly. very little, to no, drama involved.
*IF* ALL/most end-users stopped buying products that lack (some of) the features you mention, the issues would be addressed VERY quickly.

The struggles of a company are their problem to work out.

They have, you (and I) don't like the answer... but their 'answer' IS a reasonable response to customer requests
there are companies that have done the work, and their products are significantly more expensive. If someone wants security, then buy it. it really is that simple...

And if/when they do, it should never be at the expense of their customers.

Oh hell no, it will ALWAYS be at the expense of the customer ... there is no free lunch / something for nothing [progressive pipe dream].. someone will have to pay for what you want, even though perfectly reasonable, it isn't cheap to maintain and support...
I don't like it. but most customers don't care about security until it is too late... and that thought /decision/purchase process is the customer's fault, no one else's

That's just bad leadership. It's bad people running the company.

Agree that its a failure to show leadership, no doubt. but 'bad people ' .. nah ... that has all the appearance of an emotional over-reaction and misplacement of blame. And I agree the system security design issue is a problem... but I strongly disagree with simplistic thinking and scapegoating (I have no patience for echoes of long disproven Marxist theories and blaming of the bourgeoisie)
Capitalism in general works by providing customers what they want (and companies will try to help customers to want their products... I know) but more often it is 'bad' customers demanding companies to offer low-cost, feature rich half-baked solutions, 'right now' while being indifferent to security/quality, etc. Such customers are getting exactly what they are asking for .. with a rare few customers whining when they can't get cheap toys with expensive features like security and/or long lifecycle design.

I want quality, security, ethernet only, no WiFi (for obvious reasons) and product inter-operability... but we are early in the home smart energy product lifecycle, so to get what I won't will mean I have to either wait or compromise, and accept the consequences of my choices. I certainly won't be buying from a non-accountable overseas company lacking a history of providing the quality and features desired (or local re-branding of same).
part of what you ask for would demand for more sophisticated, system educated self-sufficient customers, or really expensive customer support infrastructure and staff (at significant expense). Think of all the users who have no idea what is on their local LAN, how electricity works, etc. Dealing with such means compromises are made to get passed initial install hurdles... simple common sense, even if I don't like it. As for Disable remote access before shipment. sure, again easy, and no customer calls for install help... right?

I actually respect Enphase's approach of requiring end-users to achieve a certain level of education before being supported for self-install.