46 solar inverter flaws from leading manufacturers could be exploited by hackers

When Linda Thompson installed solar panels on her Toronto home, she was eager to reduce her carbon footprint and lower her electricity bills.

Like many Canadians investing in renewable energy, she believed the benefits far outweighed any potential risks. But a recent discovery of critical flaws in solar inverters has left homeowners like Thompson questioning the security of their energy systems.

Researchers from Forescout Vedere Labs have identified 46 security vulnerabilities in solar power systems manufactured by Sungrow, Growatt, and SMA—three of the world’s top six solar inverter manufacturers. These devices, essential for converting solar energy into electricity, are now under scrutiny for their potential to be hijacked and manipulated remotely.

Flaws Impact on the Grid

The sun sets behind Hydro wires in the Hamilton, Ont., steel mills area in a file photo from Nov. 23, 2018 (JournalPioneer).

The most alarming risk posed by these vulnerabilities is the potential disruption of power grids.

In an interconnected network where stability depends on balancing power generation and demand, a hacker manipulating solar inverters could cause widespread instability. As Daniel dos Santos, Head of Research at Forescout Vedere Labs, explained, controlling a fleet of these devices could reduce power generation during peak production hours, potentially causing power shortages or even blackouts.

“An attacker could control entire fleets of devices, adjusting settings to manipulate how much energy is sent to the grid at critical times,” dos Santos said. “This could lead to cyber-physical ransomware attacks, where attackers hold energy production hostage.”

Vulnerabilities Discovered

The vulnerabilities were discovered as part of ongoing research into the security of operational technology (OT) systems.

The flaws range from insecure cloud communication to poorly protected APIs that allow unauthorized access to critical system settings. Notably, the flaws could allow attackers to remotely take over inverter devices or even control the entire cloud platform that manages them.

One of the most concerning issues involved Growatt inverters, which can be hijacked via their cloud backend, granting attackers access to configuration parameters. In contrast, exploiting Sungrow inverters requires more complex attacks, including the manipulation of communication dongles.

Are Canadian Homes at Risk?

Passive solar design takes advantage of a building’s site, climate, and materials to minimize energy use.

Canada has seen a surge in residential and commercial solar installations, particularly in provinces like Ontario, British Columbia, and Alberta, where government incentives encourage renewable energy adoption. With an increasing number of households like Linda Thompson’s integrating solar technology, the potential for widespread disruption has caught the attention of cybersecurity experts.

However, manufacturers have responded swiftly.

All three companies—Sungrow, Growatt, and SMA—have issued patches to address the vulnerabilities, with SMA confirming that its patch resolved the issue as of December 2024.

What Should Homeowners Do?

Experts advise solar inverter owners to update their systems promptly and consult with their installers to ensure that security patches have been applied. Additionally, homeowners should follow best practices for securing smart devices, including changing default passwords and regularly updating firmware.

As more Canadians transition to renewable energy, the challenge remains balancing innovation with security. For homeowners like Linda Thompson, the benefits of solar energy still outweigh the risks, but awareness and proactive measures are now more important than ever.