Exclusive Student Offer

Prime for Young Adults

Get a 6-month trial with premium college perks & fast delivery.

Start Free Trial
Listen Anywhere

Audible Standard Trial

Get 30 days of audiobooks free. Cancel anytime, keep your books.

Claim Free Books

Security Nightmare: Hoymiles Silencing Neighborhoods

The rise of decentralized energy production has inadvertently exposed significant flaws in the IT security of leading hardware manufacturers. A glaring example is the Chinese company Hoymiles, which claims to hold approximately 20% of the European market for microinverters. These devices are commonly utilized in balcony solar plants and smaller rooftop solar installations. Recently, security researcher Benedikt Heinz, also known as Hunz, in collaboration with the Chaos Computer Club (CCC), has revealed alarming security vulnerabilities in Hoymiles’ products.

Unveiling Vulnerabilities

The issue at hand lies in the unencrypted communication protocols of Hoymiles’ HM, HMS, and HMT series inverters. These devices communicate wirelessly over the 868 MHz and 2.4 GHz frequency bands. Previous assumptions held by hobbyists and open-source projects, such as OpenDTU and AhoyDTU, suggested that attacks would require knowledge of the device’s unique serial number. However, Hunz discovered an undocumented feature in the firmware that allows any nearby Hoymiles inverter to respond to a broadcast request, revealing its serial number in plain text.

Mass Localization and Remote Control

In practical tests, a modified handheld scanner allowed researchers to locate two dozen neighboring inverters and their unique identification numbers within just 20 minutes. Given that the wireless signals can extend several hundred meters, this type of attack hardware can easily be mounted on a drone to systematically scan entire residential areas.

Once an attacker obtains the serial numbers, they gain full remote control over the devices. Data packet integrity is only minimally protected with simple checksums, which can be easily recalculated if modified, meaning there is no legitimate authentication in place. An attacker can turn the inverters on or off at will and manipulate power limits. They can even inject malware through an unprotected wireless firmware update command, as demonstrated by Hunz through an experimental program that switched the inverter’s relays and LEDs continuously.

Ignorance from Authorities and CCC’s Warning

Hoymiles has shown little to no response during the disclosure process and has not provided any patches to mitigate these vulnerabilities. Regulatory authorities have similarly dismissed the situation, suggesting that potential sudden power losses could be managed by network operators. However, the CCC has warned of systemic risks associated with their findings, calling for more stringent measures during the expansion of the Internet of Things (IoT). IT security concerns should not just apply to large power plants, but equally to residential systems.

The hacker community calls for mandatory minimum security standards and a prohibition on feed-in devices in the EU that accept firmware updates via wireless methods without cryptographic authentication. Until effective patches are available, operators are left with provisional measures, including enabling theft protection passwords through the original software, significantly increasing query intervals in open-source tools, or physically disconnecting solar modules from the inverters.

The Broader Implications

As Hoymiles’ vulnerabilities come to light, the implications for energy security grow increasingly significant. Beyond individual device management, these faults expose entire neighborhoods to potential electronic interference or, worse, functional shutdowns of their renewable energy sources. With alternative energy sources becoming a staple in sustainable living, this situation underscores the urgent need for more robust security frameworks to protect both devices and the communities that depend on them.

Ultimately, this alarming security oversight in Hoymiles’ systems serves as a wake-up call for both manufacturers and regulators. Ensuring safety and integrity in the rapidly growing field of decentralized energy generation must become a top priority to prevent silencing entire neighborhoods and compromising energy security on a large scale.

Get Audible 30-Day Free Trial

As an Amazon Associate, we earn from qualifying purchases.