Ask HN: Solar inverter vulnerability, no interest from manufacturer, what to do?
I've found a vulnerability in the authentication protocol of a domestic solar inverter. Essentially it allows anyone having access to local network to change any parameters and disrupt the system operation, damage it or, possibly, even cause a fire. Considering that in most cases people use potentially insecure WPA2 networks it may be kind of an issue...
The manufacturer told me that they don't care.
At one hand it may be convenient for end users because the manufacturer refuses to provide them any administrative access to the devices.
At the other hand I kinda feel that it's not a good idea to let these devices to run as they are.
Any advice?
4 comments
[ 2.7 ms ] story [ 15.8 ms ] threadI'm kinda concerned about other people though.
If that doesn't go anywhere then the only thing that comes to mind would be all the youtubers that test/tear-down inverters and solar arrays. They don't typically cover network security of the devices but maybe they should. Some of them have a lot of followers. If you could get one of the more popular youtubers to test that hardware and also mention their security issues that might pressure the vendor into fixing it.
[1] - https://www.consumersafety.org/resources/report-unsafe-produ...
[2] - https://www.osti.gov/
[3] - https://www.ul.com/services/digital-applications/ul-certific...
They could put some more pressure on the manufacturer, or at least responsibly inform the public.