Securing Goodwe inverter

Securing Goodwe inverter

If you don't you'll get unwanted guests on your Wifi

·

2 min read

Last year we got 15 of PV’s/solar-panels installed, accompanied with a Goodwe inverter. The inverter has a USB-Wifi stick to get a connection to Goodwe and upload data so I can monitor the amount of power we produce with an app.

No need for scanning vulnerabilities and no brute-forcing.
Just log on and you’re home network is exposed!

Besides my data being uploaded to some Chinese server, which I really don’t like, I also noticed the default WIFI-settings are very weak and can be guessed without any need for password-lists.

By default the inverter stays in AP mode visible as “Solar-Wifi”, even when connected to your home network, with password “12345678”.

via GIPHY

After getting the connection all you need to do is find out which gateway you get assigned from DHCP, browse to that address (probably http://10.10.100.253 ), enter “admin/admin” as username & password and you’re in.

via GIPHY

Shockingly the interface shows the password of the home network in clear text, so connecting and penetrating the connected network is very very easy.

Untitled-2-1024x860.jpg

Yes, my home network Wifi AP is called “homeland-security” :p

Several of our neighbors have the same inverter, all of them have their wifi exposed and none of them have taken action to secure the inverter (up until now ;-)

Unfortunately you can’t disable the wifi-AP on the inverter itself, and you can’t change the admin-password to access the web-interface. You can however change the default wifi-password of the inverter which I strongly recommend.

Sidenote; the inverter software seems to think it’s not connected to a wifi-AP and reports having no connection, while it is connected and can be reached from the home network. This is probably a bug and might be responsible for keeping it’s own AP active and visible.

I’ve “reverse engineered” the latest Goodwe-API to allow syncing of power-data from Goodwe to pvoutput.org. It’s still “beta” but you can download and install the script from Github. Fortunately Goodwe dropped the old API which had no authentication at all and was easy to query for other users’ power-data (and location).

For my my next Goodwe-project I’ll be working on getting rid of the Goodwe-backends. I’ve already seen the values posted by the inverter by using an ARP-spoof, the data is transmitted unencrypted and with a simple HTTP-post, so creating a simple service in Node should not be very complex.