Solar bots
September 25, 2017 1:42 PM   Subscribe

Yay, we're getting solar! I have a question about the wifi enabled monitoring system.

We're getting solar from SunPower. It will come with a wifi enabled home monitoring system. Link to some info about it here. I keep hearing about weaponized bots using home wifi enabled devices. I am middle aged and my brain turns to mush when technology is explained to me: should I be worried about this home wifi enable device? (For that matter, should I be worried about my Roku or Sonos speaker?)

I know I sound like a dunce but that's cuz I am!
posted by latkes to Technology (8 answers total)
I wouldn't worry too much about this. The installed base of these devices is going to be pretty small, so it's unlikely that it will be a target for attack right now. When you're talking about cheap off-brand wifi security cameras, meant to be sold by the tens of thousands, that's where you need to worry a bit more. Even so, I'd recommend talking to the installer and/or SunPower directly and relaying your concerns.

Hopefully they can tell you a little bit about the security of the system, how their software updates work, and if nothing else, give them a data point that a customer is interested and concerned about security. Every customer asking these questions is good for the industry as a whole--if enough people demand adequate security, the vendors will have to step up their game!
posted by tybstar at 2:09 PM on September 25, 2017

What you linked to wasn't really about the "wifi enabled home monitoring system", rather about getting the solar system monitoring to work through the internet, which according to that sheet is all wired, not wireless. The only mention of wireless in that link is if you happen to be doing the testing steps with a tablet or laptop or something. (They have to cover those bases in their troubleshooting procedure, because 90% of the time, the problem is the customer has a problem with their computer, not the new equipment.)

Do you have information about the "wifi enabled home monitoring system"?

I wouldn't dismiss the security concerns just yet, until we see what it is.

My solar system had a wifi option, and I refused to use it. I ran an Ethernet cable to the box.
posted by intermod at 2:15 PM on September 25, 2017

Response by poster: I know, I can't find a link about their actual device! This was the only thing I could find, but the salesman told me it's wifi enabled. I can't find any specifics about the device online unfortunately. I would be down to run an ethernet cable!
posted by latkes at 2:28 PM on September 25, 2017

For what it's worth, it's not the method of connection to your home network (wired versus wireless) that is the problem--infected/compromised IoT devices will be able make their mischief whether wired or wireless. So I wouldn't consider a hard-wired device any more safer or secure than a wireless device.
posted by tybstar at 2:37 PM on September 25, 2017 [2 favorites]

The systems I am familiar with are for monitoring the performance of the solar system (panels and inverters) not for monitoring the security of the house. Those systems just report, they don't control anything. That would make a big difference in the risk profile.
posted by metahawk at 3:33 PM on September 25, 2017

We have an enphase envoy c. All it does is receive signals from the solar panels to report to a website how much energy its generated, which you can view. Unplugged, the solar panels continue to do their thing, unaffected.
posted by Karaage at 4:46 PM on September 25, 2017

Best answer: I work for a company that supplies the controller boards for many solar distributed fleets. They tend to be Raspberry Pi or ESP8266-based. They almost all to a fault only send production and operational data home, with no remote control possible.
posted by scruss at 6:35 PM on September 25, 2017 [1 favorite]

Best answer: I've monitored our Enphase Envoy and it does appear to only be making outbound connections. The default login credentials do not get me access to the "Administration" page on it's local webserver.

The problem with the home security cameras most often talked about is they'll us upnp to try to setup inbound connections - so you can see your security camera while you're away from the house. If there's a way for you to initiate a connection back into your house, that same port can be used for random scanning software to talk to the security camera. And if the login/password is the default, and there's any security problems which allow additional tools or firmware flashing that's there the problem is.

The only way that the solar reporting systems could be problematic would be if the remote systems that they report to are compromised, and the existing firmware has a way for the (now compromised) reporting system to signal that it should update the firmware with a newly compromised system which could add new functionality. I'm not sure if the second part of that is something that's in the existing code; that might be worth asking your manufacturer (I.E. is there anyway for their servers to trigger/push a firmware update, or if it must be initiated from the local webhost (only reachable within your home network)).

I don't really worry about my solar monitoring box; just shy of 30MWh of production.
posted by nobeagle at 7:10 AM on September 26, 2017 [1 favorite]

« Older How to get started with SBIRs?   |   Coolest building to explore in Chicago? Newer »
This thread is closed to new comments.