# Securing Goodwe inverter

Last year we got 15 of PV’s/solar-panels installed, accompanied with a Goodwe inverter. The inverter has a USB-Wifi stick to get a connection to Goodwe and upload data so I can monitor the amount of power we produce with an app. 
>     No need for scanning vulnerabilities and no brute-forcing.
    Just log on and you’re home network is exposed!

Besides my data being uploaded to some Chinese server, which I really don’t like, I also noticed the default WIFI-settings are very weak and can be guessed without any need for password-lists. 

By default the inverter stays in AP mode visible as “Solar-Wifi”, even when connected to your home network, with password “12345678”. 

<iframe src="https://giphy.com/embed/l0HlJdvh9AEfwDAiI" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/southparkgifs-l0HlJdvh9AEfwDAiI">via GIPHY</a></p>

After getting the connection all you need to do is find out which gateway you get assigned from DHCP, browse to that address (probably http://10.10.100.253 ), enter “admin/admin” as username & password and you’re in.

<iframe src="https://giphy.com/embed/YQitE4YNQNahy" width="480" height="270" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/YQitE4YNQNahy">via GIPHY</a></p>

Shockingly the interface shows the password of the home network in clear text, so connecting and penetrating the connected network is very very easy.


![Untitled-2-1024x860.jpg](https://cdn.hashnode.com/res/hashnode/image/upload/v1652978358848/mtmTd94Tr.jpg align="left")

Yes, my home network Wifi AP is called “*homeland-security*” :p

Several of our neighbors have the same inverter, all of them have their wifi exposed and none of them have taken action to secure the inverter (up until now ;-)

Unfortunately you can’t disable the wifi-AP on the inverter itself, and you can’t change the admin-password to access the web-interface. You can however change the default wifi-password of the inverter which I strongly recommend.

Sidenote; the inverter software seems to think it’s not connected to a wifi-AP and reports having no connection, while it is connected and can be reached from the home network. This is probably a bug and might be responsible for keeping it’s own AP active and visible.

I’ve “reverse engineered” the latest Goodwe-API to allow syncing of power-data from Goodwe to pvoutput.org. It’s still “beta” but you can download and install the script from [Github](https://github.com/buttonfreak/goodwe-api). Fortunately Goodwe dropped the old API which had no authentication at all and was easy to query for other users’ power-data (and location).

For my my next Goodwe-project I’ll be working on getting rid of the Goodwe-backends. I’ve already seen the values posted by the inverter by using an ARP-spoof, the data is transmitted unencrypted and with a simple HTTP-post, so creating a simple service in Node should not be very complex.