• Have you tried out dark mode?! Scroll to the bottom of any page to find a sun or moon icon to turn dark mode on or off!

diy solar

diy solar

Protecting EG4 18kPV from Remote Attacks

jsharkey

New Member
Joined
Oct 29, 2024
Messages
8
Location
Colorado, USA
After a recent EG4 18kPV installation I was curious about how its cloud monitoring system was designed. To my surprise, there is no encryption whatsoever, and raw RS485 MODBUS commands are being sent directly across the public internet. 😲

This means a MITM attacker has trivial control over sensitive inverter parameters, such as battery thresholds and grid-interactive features. As just one example, the parameters used for IEEE 1547 interaction could be misconfigured as part of a larger effort to destabilize the grid. Finally, the entire inverter firmware appears to be updatable via this route, possibly opening up an even wider attack surface area beyond just the documented MODBUS parameters. 😲

There were recent rumors of solar inverters being attacked remotely (also discussed on this forum), but they appear to have been dispelled after investigators followed-up:
Regardless, it remains prudent to reduce the external attack surface of these devices, as they are often connected to potent energy storage systems. One way to mitigate this would be to completely disconnect the inverter from the Internet, but that would mean having to roll our own local monitoring.

Instead, I used the raw plaintext protocol to my advantage and wrote some lightweight router firewall rules that allow a handful of vetted innocent requests through, while blocking all other mutation requests or otherwise undocumented features. This lets us leverage the existing EG4 cloud monitoring and inverter as-is with no extra hardware requirements, while also protecting our equipment. Here's the firewall rules, instructions, and background:
When attempting to modify inverter settings in the cloud or app I now get "Timeout" or "Unknown error" messages, and then it takes a few minutes for RS485 tunnel to be reestablished and automatic statistics to begin flowing again. There's also a narrow allowance that allows remotely modifying the date/time to adjust for clock drift and applying DST changes.

Hopefully others find this useful as they consider how to best protect their equipment.
 
After a recent EG4 18kPV installation I was curious about how its cloud monitoring system was designed. To my surprise, there is no encryption whatsoever, and raw RS485 MODBUS commands are being sent directly across the public internet. 😲

This means a MITM attacker has trivial control over sensitive inverter parameters, such as battery thresholds and grid-interactive features. As just one example, the parameters used for IEEE 1547 interaction could be misconfigured as part of a larger effort to destabilize the grid. Finally, the entire inverter firmware appears to be updatable via this route, possibly opening up an even wider attack surface area beyond just the documented MODBUS parameters. 😲

There were recent rumors of solar inverters being attacked remotely (also discussed on this forum), but they appear to have been dispelled after investigators followed-up:
Regardless, it remains prudent to reduce the external attack surface of these devices, as they are often connected to potent energy storage systems. One way to mitigate this would be to completely disconnect the inverter from the Internet, but that would mean having to roll our own local monitoring.

Instead, I used the raw plaintext protocol to my advantage and wrote some lightweight router firewall rules that allow a handful of vetted innocent requests through, while blocking all other mutation requests or otherwise undocumented features. This lets us leverage the existing EG4 cloud monitoring and inverter as-is with no extra hardware requirements, while also protecting our equipment. Here's the firewall rules, instructions, and background:
When attempting to modify inverter settings in the cloud or app I now get "Timeout" or "Unknown error" messages, and then it takes a few minutes for RS485 tunnel to be reestablished and automatic statistics to begin flowing again. There's also a narrow allowance that allows remotely modifying the date/time to adjust for clock drift and applying DST changes.

Hopefully others find this useful as they consider how to best protect their equipment.
I wish I understood 1/2 of what you are saying. Is there a way to protect the inverters without knowing how to write code? I am not familiar with writing code but would like to be able to protect my investment if possible.
 
There's an option to go into the mico interface to ecrypt. Use inverter's ip address into browser to access.
 
Good post. I've had the same concerns and even posted about it, but didn't garner a lot of interest. You may want to also set outbound rules. If the firmware is already compromised it can establish an outbound connection.

A diagram would help as it's not clear how you connect the router to the wireless dongle.

I've considered bridging a connection across NICs on my windows box and using the built-in firewall. I live in Linux, but Windows might be easier for most people.
 
Good post. I've had the same concerns and even posted about it, but didn't garner a lot of interest. You may want to also set outbound rules. If the firmware is already compromised it can establish an outbound connection.

A diagram would help as it's not clear how you connect the router to the wireless dongle.

I've considered bridging a connection across NICs on my windows box and using the built-in firewall. I live in Linux, but Windows might be easier for most people.
Good recommendation. However, most users wouldn't know how to set rules.
I run https://opnsense.org/ (OPNS) on a converted Dell Precision in conjunction with TP-Link Omada APs (EAP670).

I'd easily recommend Omada's for anyone as it's easy to setup. Omada APs offer multiple SSIDs and then set rules in OPNS.

Example: Security cams, inverter, guests etc lowest level 1 that doesn't have access to higher levels, Kids and Wife L2, admin user L3 etc.

Seems like that should be on by default.
Agree, but it's WIDE open by default.
 
Last edited:
Are any of you smart folks willing to write a detailed step by step instruction manual? I have a Protecti Vault that the internet recommended to install opnsense for a firewall. I was going to follow the Youtube video on setting it up but never thought of how to incorporate the inverters.
 
One way to mitigate this would be to completely disconnect the inverter from the Internet, but that would mean having to roll our own local monitoring.
Solar Assistant makes this trivial, though I’ve got my own (Python) monitoring using Modbus to the Meter485 ports.

Still, very impressive, if I knew what I was doing I could probably transmogrify your instructions for my FireWalla box. 🤷‍♂️
 
Are any of you smart folks willing to write a detailed step by step instruction manual? I have a Protecti Vault that the internet recommended to install opnsense for a firewall. I was going to follow the Youtube video on setting it up but never thought of how to incorporate the inverters.
If the stupid ethernet dongle wasn't $400 I'd have one of those. $400 for an ethernet card is obtuse, should be $50ish, you can buy a gigabit pci card for $20.

Trying to do packet filtering is going to get arcane rather quickly. Even with a cheapo netgear/linksys you should be able to assign an IP address for the dongle(s), then log via web, turn off ap function, and put a simple rule on your router to block traffic to the internet from that ip. I'd start there, you can forget packet filtering/mangling if you can't get that done.

Or just unplug the dongle and program it from the display, or just plug the dongle in when you want to make changes. I put dedicated leases (DHCP) in my Fortigate for the devices. I have a firewall rule that disables access outside my network, though I could isolate it on it's own ESSID. I logged into the web interface for the dongles and turned off the AP function to prevent direct access from the Wifi.
 
After a recent EG4 18kPV installation I was curious about how its cloud monitoring system was designed. To my surprise, there is no encryption whatsoever, and raw RS485 MODBUS commands are being sent directly across the public internet.
LOL, this isn’t a troll/didn’t take meds today? I guess you posted the receipts on GitHub.

I am also kind of shocked that 1741SB/1547 certification doesn’t include some basic security audit.

Wow.

@EG4TechSolutionsTeam why was this security design deemed acceptable?
 
One way to mitigate this would be to completely disconnect the inverter from the Internet, but that would mean having to roll our own local monitoring.

You can connect locally to the wifi with the app. You can configure a password for the local AP on the dongle.

 
Good post. I've had the same concerns and even posted about it, but didn't garner a lot of interest.
You didn’t make enough prepper red meat noise about EMP protection.

Because as we all know, that SHTF is much more likely than getting pwned by clear text control protocol going over the internet.
 
A very good reason and need for requiring something like UL 2900-2-3 for any electrical system components that connect to the public Internet. It is a question of when, not if, the millions of internet connected inverters and batteries are the next target; much like other IoT, but with the increased risk of interfering with power and not just spying on your cameras.
 
and now you know why all military contracts now make you sign a disclaimer that you are not using any (ANY) chineese made equipment that records, communicates, or plugs into the internet in any fashion. Just watched a commands CO and XO get fired for this here in japan...
 
I like the idea of the esphome gateway. Makes it easy to use HomeAssistanat as the network gateway device, which is much simpler to secure than every "smart home" end device.
 
Could someone upload a faulty firmware that could cause the inverter to destroy itself? Changing the switching behavior to overheat and fry the fets?
I would imagine that you can program it to be 180º out of phase from the source, which will destroy it quite quickly; it is unlikely they have hardware protection devices to prevent this.
 
I would imagine that you can program it to be 180º out of phase from the source, which will destroy it quite quickly; it is unlikely they have hardware protection devices to prevent this.
pretty sure they do not. I got two magnums out fo sync with each other when paralleling them. fortunately the magnum(s) were flashing a warning light and as the transformers and mosfet started to heat up I was able to open the breakers and prevent any damage. this whole scenario from start to finish was about 15 seconds from flipping them on, to seeing the warning and opening the breakers.

that was s simple error in config int he settings. I would bet that the AIO are the same in that regards. so simply purposely slipping the frequency without allowing the unit to shut down would do it.
 
I'm planning to pull my Wi-Fi dongles from all my units when the time comes.

Could someone upload a faulty firmware that could cause the inverter to destroy itself? Changing the switching behavior to overheat and fry the fets?
There’s a tradeoff here between functionality (remote access, EG4/SS tech support, remote firmware upgrades, data logging) and the danger of someone mucking about with your system, or worst case everyone’s system.

One potential mitigating factor is that EG4 has AWS servers in the US so it’s possible SS is firewalled from any Chinese govt malfeasance.

Note that it’s possible for firmware to start acting wonky (that’s a technical term) after a certain amount of time which will cause you to reconnect to the servers for tech support and firmware updates, which essentially breaches your firewall. Not saying they are doing this, just that they could, and some of the worst malware is from nation-state actors. All kinds of stuff is possible, including using this foothold in your network to poke around and infect other computers on your LAN.

On the other tentacle, the keys to your castle are your inverter serial number, with that anyone can do anything. I had an SS tech poking at my system, making changes, doing stuff, and my inverter wasn’t doing what he expected. Then he read back the wrong serial number and we both realized he was poking at someone else’s inverter!

Personally I’m going to trust EG4/SS for now, but block Internet access once I get everything stable. Then I can use Solar Assistant (note: same problems as above) in local mode and my own monitoring code (completely different problems 🤪).

Who to trust? No-one knows.
 

diy solar

diy solar
Back
Top