Chinese solar inverters can be remotely hacked to shut down rooftop panels, research suggests
The attacker requires a secret key.

Employees work on the production line of solar panels. Xu Changliang/VCG via Getty Images.
- Hackers can remotely control Hoymiles solar inverters by intercepting unencrypted serial numbers, allowing them to shut down or install malware on devices.
- Mass attacks could disable hundreds of thousands of rooftop solar systems, threatening electrical grid stability across entire regions.
- Hoymiles ignored security warnings from researchers, forcing the Chaos Computer Club to publicly disclose the vulnerabilities to protect consumers.
- The case highlights risks of poorly secured smart devices in critical infrastructure, prompting calls for EU bans on unauthenticated firmware updates.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Chaos Computer Club (CCC) and a security researcher have found “devastating security vulnerabilities” in inverters for balcony and roof solar systems from the Chinese company Hoymiles.
According to the researchers, attackers could remotely take control of affected inverters by exploiting weaknesses in the devices’ communication and security mechanisms.
The inverter features a cloud function that communicates via proprietary but unsecured protocols when activated, enabling attackers to remotely control the inverter. This way, a threat actor can switch solar panels on or off, reconfigure them, delete the firmware, or install malware.
To gain remote access to the inverter, the attacker requires a secret key: the device's factory-assigned serial number. Every inverter transmits the serial number unencrypted, allowing anyone in the vicinity to intercept it. That way, it’s possible to operate targeted inverters remotely.
If carried out on a large scale, hundreds of thousands of rooftop solar power plants could be shut down, affecting the stability of the electrical grid in an area, the CCC warns.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“Stop the Wild West in the IoT. This case is a practical lesson in why critical infrastructure doesn’t just start at large power plants, but already in the front garden. If thousands of systems can be shut down by public address, that poses a systemic risk.” Dirk Engling, spokesperson for the CCC, says in a statement.
Before disclosing their findings publicly, the researchers presented their conclusions to Hoymiles. However, the manufacturer did little to nothing with these reports, leaving their solar panels vulnerable to this day. That’s why the CCC felt forced to make the vulnerabilities public.
The researchers say that their findings demonstrate the growing need for better cybersecurity measures for internet-connected devices. The CCC recommends that the EU ban devices that allow firmware updates to be installed without adequate authentication.
“Security is not a feature that can be added optionally, but it is the basis for trust in a stable and modern energy infrastructure,” the CCC concludes.