SolarQuotes readers may not be familiar with America’s Cyber and Infrastructure Security Agency (CISA), so let me introduce you: CISA is the operational lead for American cybersecurity, collaborating with other organisations like the National Security Agency, the FBI, and international cyber security agencies.
One of its roles is to publish advisories alerting industry and users to security issues in critical infrastructure systems, and this week, CISA published two warnings relevant to Enphase products: the Envoy communication gateway, and the Installer Tookit Android app.
As Enphase puts it,
“the Enphase Envoy is a communications gateway that collects information about how your system is performing and transmits that information over the Internet to MyEnlighten.”
The problem for customers and the industry is that one version of the Envoy, D7.0.88, has a security bug that could let an attacker take over control of the gateway. As CISA puts it:
“Successful exploitation of this vulnerability could allow an attacker to gain root access to the affected product.”
“Root access” are the key words here: it means someone can, over the Internet, execute Envoy commands as if they had full access to the product.
So far, CISA said, Enphase hasn’t responded to requests that it work with the agency.
Until the company patches the software, CISA recommends systems be blocked from using the Internet – which means it can’t send data to the MyEnlighten system.
Installer Toolkit
The Installer Toolkit is an Android app that gathers site and system data when installers are configuring a new customer. Enphase describes it as a prerequisite for Ensemble installations.
CISA’s advisory said a security researcher identified only by the pseudonym “OBSWCY3F” found that versions prior to 3.27.0 have “hardcoded credentials” – in other words, the app comes with a user account where user name and password are written into the software.
The risk, CISA said, is information disclosure – that information stored in the app could be available to a successful attacker.
As well as not exposing the app to the Internet – which is a tough call! – CISA says users should get in touch with Enphase for support.
Infosec is Important
It’s more than two years since we first remarked that the solar industry needs to take cyber security seriously.
In Australia, security regulation is looming.
To date, laws like the Security of Critical Infrastructure Act haven’t been applied to home solar PV installations, but there is at the very least, the possibility of SoCI regulation in the future.
Meanwhile, the government is consulting about cyber security regulation, a consultation that could bring new commonwealth cyber security legislation.
Which makes this a good time for the industry to work out how to deal with cyber security in products and services.
This is sadly not a surprise to me (25 years in software development). When I got my Enphase installed, I was really really disappointed with the way they have structured their software stack. If I want to change my wifi password, I am supposed to hand over my password to my installer?! When an installer has an issue on site, they can call Enphase and someone can remotely connect to my Envoy to diagnose the problem. This is what’s called a reverse tunnel and it gives them unfettered access to my home network unless I go out my way to put the Envoy on its own wifi network.. It is actually a HUGE legal liability for them, in my opinion. If they get hacked, a significant chunk of the power grid of many countries becomes accessible to hackers, as does the home wifi of the Enphase Envoy owners.
On the flip side, (unfortunately?) the hardware is still pretty great! Only the software is sadly something that would not pass a security audit at any self respecting IT firm. The code to log into the Envoy is based on its serial number and an android app exists to work this out. The “encryption” looks hand written which is something professional software engineers are taught never to do because it’s easy to screw it up — as they did here.
Then we get to the local API, or should I say lack thereof. There are a bunch of http endpoints you can query to get bits of data from the Envoy and micros (homeassistant uses these, iiuc) but Enphase have, as far as I can tell, never really wanted people to use them. They seem stuck in an outdated modality where they control and keep access to everything.
Knowing what I know now, I would not have bought into this system if I had my time again.
Is this a fault for Apple or Android or both
My Envoy version is possibly exposed and Enphase says that if I am “worried”, I should get my installer to upgrade my version to one that is not vulnerable. That told me that upgrades do not work like phones, and upgrades might occur when you ask – not ideal. In this day and age, cyber security should be a concern for all of us. To learn about this vulnerability via Solarquotes (thank you) and not Enphase or my installer is a concern,
I have now been upgraded by my installer, from d5.0.55 to d7.6.175, which should mean that vulnerability has been dealt with.
However, this was not an automatic process – I had to request it. Something to watch out for.