Ask HN: Solar inverter vulnerability, no interest from manufacturer, what to do?

3 points by pshirshov ↗ HN
I've found a vulnerability in the authentication protocol of a domestic solar inverter. Essentially it allows anyone having access to local network to change any parameters and disrupt the system operation, damage it or, possibly, even cause a fire. Considering that in most cases people use potentially insecure WPA2 networks it may be kind of an issue...

The manufacturer told me that they don't care.

At one hand it may be convenient for end users because the manufacturer refuses to provide them any administrative access to the devices.

At the other hand I kinda feel that it's not a good idea to let these devices to run as they are.

Any advice?

4 comments

[ 2.7 ms ] story [ 15.8 ms ] thread
If you can isolate it on its own private network, then put a proxy that enables authentication in front of it. That is unless this is one of the devices that talks to the cloud and you are controlling it from the cloud.
Well, I don't have issues with isolating it in my own network. A separate vlan plus some firewall rules seem to be a good mitigation.

I'm kinda concerned about other people though.

If the vulnerability is a safety issue, then you could report the issue to various organizations [1] or ask the folks at OSTI what labs would be concerned [2] or ask the UL lab [3] if that device is truly certified given the fire risk you mention. Those routes are likely very slow and would require a lot of patience and tolerance of bureaucracy and double-speak. The words "fire hazard" should get them to look into it.

If that doesn't go anywhere then the only thing that comes to mind would be all the youtubers that test/tear-down inverters and solar arrays. They don't typically cover network security of the devices but maybe they should. Some of them have a lot of followers. If you could get one of the more popular youtubers to test that hardware and also mention their security issues that might pressure the vendor into fixing it.

[1] - https://www.consumersafety.org/resources/report-unsafe-produ...

[2] - https://www.osti.gov/

[3] - https://www.ul.com/services/digital-applications/ul-certific...

Is there any national or regional cibersecurity-related institution you can share your findings with?

They could put some more pressure on the manufacturer, or at least responsibly inform the public.