top of page
Writer's pictureKeith Gough

This has always worry me




The state-run Dutch Radiocommunications Agency has launched an investigation into whether PV inverters pose a threat to the cybersecurity of the electricity system in the Netherlands, according to Dutch Minister for Climate and Energy Rob Jetten.

In a document published on the Dutch parliament's website, Jetten said that Internet of Things devices such as PV inverters can pose a risk to the electricity grid.

“To mitigate the risks of these devices, we focus on prevention, awareness, and additional legislation that makes products more resilient to digital attacks,” he said. “The Radiocommunications Agency will enter into discussions with the relevant manufacturers on how to improve cybersecurity.”

A Dutch hacker known as “Jelle Ursem” recently gained access to PV systems operated via a monitoring tool developed by Chinese manufacturer Solarman, according to Tweakers, a Dutch media outlet.


1,259 views13 comments

Recent Posts

See All

13 Comments


Unknown member
Oct 17, 2022

For this very reason, I placed an rs232 logger between the sunsynk inverter and the dongle to see what traffic is being sent to the inverter. My intention is eventually to replace the logger with an Arduino which will reject any request which is not 'normal'. The problem I have is knowing the correct pinout and the voltages that sunsynk is using. Also the modbus registers being used and the pins which provide power to the dongle. Providing this information would allow us to be in control of our own inverters and reduce the risk of remote control. It would also allow the dongle to be kept in place for firmware updates. which would be allowed through if customers…

Like

Moffat
Sep 26, 2022

Location of servers, or experience of who runs it, is immaterial as with time, the younger generation of hackers will undoubtably become more prolific than us turds. So this then comes to my suggestion of having the ability to localise input to the inverter, ie, it’s a closed loop, by default and anyone wish to have remote access can be limited, even by Bluetooth, which in itself is also susceptible but at least this means anyone hacking truly will anyway. So can I just remove all online options & simple have my installer come on site or I put in the connection, only when I desire. This would mean having an onboard data logger which can be accessed physically, but…

Like

gary
Sep 19, 2022

If Gary Mckinnon can hack the CIA with a 56k modem then anything is possible !

Like

Yellow Tapemeasure
Yellow Tapemeasure
Sep 12, 2022

Keith, I am glad that you find it concerning. The paper authored by @SchizoDuckie is here, along with his recommendations, the high -level ones are:


Recommendations for avoiding leaks on GitHub include:
Forcing password changes periodically;
Using 2FA or MFA for email accounts;
Prohibiting the use of public repositories by your developers and requiring the use of private repositories; and
Prohibiting the use of hardcoded login credentials in repositories.

I would like to know:

  • Is GitHub used by Sunsynk developers? If so, is it private of public Github repos?

  • How often are credentials changed?

  • Does Sunsynk prohibit the use of hard-coded login creds embedded in code?


Like

Keith Gough
Keith Gough
Sep 11, 2022

Sunsynk is hosted on a European server

Like
bottom of page