TM48
Solar Wizard
Equifax was the worse. All data needed to take out a loan was leaked on every American that was old enough to have a credit file.
Protecting EG4 18kPV from Remote Attacks
- Thread starter jsharkey
- Start date
Exactly.
If you think there aren't databases out there with your info in them, you're kidding yourself. A lot of companies don't even know they've been breached (or don't disclose it) for months after the event.
Best you can do is mitigate and make the choice of whether or not you want the tradeoff between convenience/features or security/isolation.
Most, if not all cloud providers, operate on the 'shared responsibility model' meaning they take care of security up to a point. After that, your servers/applications/etc. are your responsibility. Cloud is definitely someone else's computer, but security issues rarely arise only because something is running in the cloud.
Quattrohead
Emperor Of Solar
I'll talk about the fox protecting the chicken coop.
zanydroid
Solar Wizard
Oh they’ve all leaked data, for varying tiers of compliance & audit.
Luxpower and EG4 are possibly at close to a zero tier of that
42OhmsPA
Who likes Electrical Gremlins?
That's your opinion. My point is, if security were that big of a concern EG4 should have mitigated the flaws from the OEM with additional security / encryption. It's my opinion they found it much easier to focus on profit margins.
Agreed 100%, I didn't even order the WiFi dongles with my 2nd set of AIOs. A background in computer networking and forensics really opened my eyes to dangers in the digital world we live in.
TM48
Solar Wizard
Well I doubt EG4 even has the source code. Someone recently said to the effect that web page design is from a third party company not even from Lux Power. I don't know if that's actually true though. But it could be. The EG4 website is hosted by AWS so any saleable content is harvested for sale. That alone keeps me from using cloud services.
zanydroid
Solar Wizard
Amazon does not harvest customer data from AWS instances. Unless they want to totally tank AWS sales LOL.
TM48
Solar Wizard
And you're free to keep believing that.
zanydroid
Solar Wizard
Ah ok, you think they’re also skimming from AWS Cloud for Federal and selling the data to Putin via Elon / using it to gain advantage in Blue Origins bids? 
TM48
Solar Wizard
Simpler than that. They skim anything of value and sell to anyone who pays.
jzampieron
Solar Enthusiast
This is exactly the reason I won't put my Insight Facility on the Internet. Schneider can't be bothered to upgrade the firmware more than every few years... there have to be known vulnerabilities in those libraries.
It's only a matter of time before solar equipment above a certain wattage becomes a regulated market. One forced misconfiguration that causes grid problems or a house fire and the state PUCs (power utility commissions) will force the manufacturers to apply things like ISO27001, NIST-800 and similar. California will probably lead the way. If the PUCs don't do it then the insurance companies and UL-type folks will.
IDK about anyone else, but I'm not installing any equipment in my house if my insurance company would drop me for it.
SCADA networks aren't great as it is and those are public grid. I got BS'd by a Kinder Morgan rep about it at a town meeting one day. The guy hadn't a clue... total talking head.
Cyber-physical effects are the most targeted by professional cyber criminals (nation state or otherwise) b/c they are often the most impactful.
My $0.02 is keep your critical systems far away from the internet (air-gapped).
If you really want to bridge to the internet and can do one-way RS485, don't wire the RX lines. TX out from your solar kit only to the gateway. It's really hard for a remote hacker to control something when there's no physical way for the commands to get back to your device.
It's only a matter of time before solar equipment above a certain wattage becomes a regulated market. One forced misconfiguration that causes grid problems or a house fire and the state PUCs (power utility commissions) will force the manufacturers to apply things like ISO27001, NIST-800 and similar. California will probably lead the way. If the PUCs don't do it then the insurance companies and UL-type folks will.
IDK about anyone else, but I'm not installing any equipment in my house if my insurance company would drop me for it.
SCADA networks aren't great as it is and those are public grid. I got BS'd by a Kinder Morgan rep about it at a town meeting one day. The guy hadn't a clue... total talking head.
Cyber-physical effects are the most targeted by professional cyber criminals (nation state or otherwise) b/c they are often the most impactful.
My $0.02 is keep your critical systems far away from the internet (air-gapped).
If you really want to bridge to the internet and can do one-way RS485, don't wire the RX lines. TX out from your solar kit only to the gateway. It's really hard for a remote hacker to control something when there's no physical way for the commands to get back to your device.
zanydroid
Solar Wizard
I think if we get to this point, the possibility that you COULD install a dongle that provides remote access to some outdated equipment that hasn’t been patched might already cause you to be dropped.
My thinking is that the insurance company has a much easier time being super risk averse, than to figure out a process for auditing the infosec config on individual houses.
For IT audits you have to negotiate and justify such things, it’s a lot of process. Fine in an adults B2B or govt setting; Residential is inherently lowest bidder / lowest effort amateur hour
My comment comes after my EG4 18k PV somehow had its settings reset a few days ago that turned it into standby mode turning off AC power modifying other settings. It makes me extremely concerned when you hear that Signature Solar/EG4 simply asks for your serial number and can go in and make changes (if you are connected to their system). For Victron you have to create an account for their support on your system, turn on remote access, and provide correct permissions for that user. You can then easily remove that user if you wish or degrade their permission levels.
Daddy Tanuki
Emperor Of Solar
Navy Federal Credit Union. i beleive they have had zero breaches of data to date (online data).
zanydroid
Solar Wizard
Prescience:
- Someone pretexts to be from SS / EG4 to get access to a system
- Disgruntled SS, EG4, or LuxPower employee bricks a couple customer inverters for banter, because no internal controls. Most likely, if said LuxPower disgruntled employee is still half-rational b/c PRC isn't going to extradite someone to the US over that. Someone in Texas is probably going to get turned into an example by the Feds.
- Serial numbers don't have enough entropy, and well-meaning EG4 support employee accidentally bricks the wrong customer box.
(I don't know how much entropy they have, it might be fine. I'm meming here)
Amazon the marketplace, definitely.
But if you think they have access to or sell cloud customer's data, you're wrong. 100%. If it ever came out they were (and it would), it wouldn't matter how many billions they have in the bank, it'd all be gone. Every customer gone as soon as they could move, they'd be sued into the ground. They undergo significant quarterly audits from third parties and make the documents and findings available to every customer.
I've been on support calls with them; there's a line where I as a customer have to give them log data, etc. because they do not have access to it. Everything is encrypted. If something even needs to be rebooted, I the customer need to initiate it. They can't. Each customer has their own encryption keys.
Oh and to @Daddy Tanuki's point - I've worked with NFCU in the past. They are crazy serious about data security, and were a customer of the company I worked for at the time when we moved some stuff to AWS. They were fine with AWS after getting their regular audit reports and disclosures. We, on the other hand, had to answer a *lot* of questions and provide information about our security policies, etc. I'm quite certain if we hadn't, they wouldn't have been a customer anymore.
Koyaanisqatsi
Electron addict
And this problem completely eliminates EG4 and Lux Power from my list of viable options. And I'll be scrutinizing any other brand now too. Good grief. Why do we still have companies dropping the ball this badly with cyber security in 2024?!?
Thank you, OP, for bringing this up. It's a shame that a company would even consider connect anything to the internet without at least SSL/TLS and a user-changeable admin password. Blatant negligence. SSL certificates can be had FOR FREE these days from the likes of Let's Encrypt. And not only is it free, but it's designed to be setup for automation, making the certificate renewal happen behind the scenes and without any intervention from the user.
This is either blatant incompetence or total disregard for the safety of their customers. I am utterly disgusted by this.
Thank you, OP, for bringing this up. It's a shame that a company would even consider connect anything to the internet without at least SSL/TLS and a user-changeable admin password. Blatant negligence. SSL certificates can be had FOR FREE these days from the likes of Let's Encrypt. And not only is it free, but it's designed to be setup for automation, making the certificate renewal happen behind the scenes and without any intervention from the user.
This is either blatant incompetence or total disregard for the safety of their customers. I am utterly disgusted by this.
zanydroid
Solar Wizard
I stopped myself from saying something about how AWS must have the best snipers or counter-bribes to prevent whistleblowers (they would most likely qualify for the federal bounty program) from spilling the beans on this large scale theft of data stored in AWS customer instances and cloud storage
Now, if we were living in a cyberpunk world, then sure one megacorp would be stealing data and Monetizing activity streams all the time from the other megacorps. In our world, only the peons get this treatment, while the megacorps get mutual respect
jsharkey
New Member
My general approach in areas like this has been to accept risks that I can effectively mitigate. This lets me have the best of both worlds: I get extremely good value for money on equipment with a little extra work to roll my own security.
For example, I run plenty of PoE 5MP ONVIF cameras that were ~$25 new (extremely good value), but of course they're running the sketchiest firmware imaginable. I mitigate this risk by placing them on an isolated VLAN (no Internet access) and use Frigate as an NVR.
Using more expensive equipment isn't a guarantee of any better security.
There's a very famous paper by Ken Thompson (the Father of Unix and C) with the overall conclusion is "The moral is obvious. You can't trust code that you did not totally create yourself."
Extended to this forum, if we didn't solder every single PCB connection--scratch that--if we didn't brew our own capacitor electrolyte from scratch, then can we trust our inverters at all?
We each have to decide where we're willing to live on the spectrum of risk.
registered-bum
Solar Enthusiast
As an infosec nerd for a few years, the addage is "All security decisions are business decisions."
Boss- are you sure you don't want to pay for encryption, or pay for reworking your shitty-assed app to make it secure/compliant?
That's sound expensive - just approve it and shit it.
No problem boss, just send me that in an email and cc Legal.
Boss- are you sure you don't want to pay for encryption, or pay for reworking your shitty-assed app to make it secure/compliant?
That's sound expensive - just approve it and shit it.
No problem boss, just send me that in an email and cc Legal.
wpns
Solar Joules are catch and release
Not aware of any RS485 kit that just broadcasts data continuously. Everything I’ve seen is Modbus, and that’s 2-way, the dongle requests registers and the inverter responds. You need DPI as per the OP to send status without accepting commands.
Quattrohead
Emperor Of Solar
Look up Navy Federal data breach, April 23
Quattrohead
Emperor Of Solar
Even your electrical supply company could leak your data so you're kind of cutting off your nose to spite your face there. Buy your inverters, set them up, grab any firmware updates you need and then remove the dongle, problem solved.
Similar threads
