- Researchers find unauthenticated wireless access to widely used Hoymiles microinverters.
- Attackers can switch systems off, change output, and potentially disable units.
- Low cost hardware enables access from hundreds of metres away.
A newly published security study titled ‘Wireless Interface Vulnerabilities of Hoymiles Microinverters,’ by the Chaos Computer Club, has identified critical vulnerabilities in Hoymiles microinverters, widely deployed in small scale rooftop and balcony solar systems, raising concerns about device integrity and potential grid impacts.
The research shows that several Hoymiles inverter models communicate over proprietary wireless interfaces without encryption, authentication, or integrity protection. This allows attackers within radio range to intercept and send control commands using inexpensive and widely available hardware.
At the centre of the issue is the DTU communication protocol, which enables monitoring and control of inverter performance. While access is nominally restricted using the last eight digits of a device serial number, the study demonstrates that these identifiers can be retrieved over the air using a broadcast request. Tests confirmed this method works at distances of at least 350 m.
Once a serial number is obtained, an attacker can issue commands to switch inverters on or off, or adjust their power output. The study also suggests that attackers may be able to set anti-theft passwords, potentially locking out legitimate owners, and possibly upload malicious firmware, although this has not yet been fully verified.
The vulnerabilities affect a wide range of Hoymiles HM, HMS, and HMT series devices operating on both 2.4 GHz and 868 MHz bands. These products are widely used in Europe, particularly in Germany, where nearly 500000 new balcony solar systems were installed in 2025 alone.
To demonstrate real world exposure, the researcher built a handheld scanning device and identified 24 accessible inverters during a 20 minute walk through a residential area. This highlights the scale of potential exposure as adoption of distributed solar continues to grow.
Beyond individual systems, the findings raise broader concerns for grid stability. The report notes that coordinated attacks could attempt to disrupt electricity supply by simultaneously switching large numbers of inverters on or off during peak generation periods. However, the study stops short of quantifying the likelihood or scale of such an event.
Mitigation options remain limited in the absence of a vendor fix. Disconnecting solar panels from affected inverters is currently the only fully effective measure. Adjusting system settings, such as reducing communication frequency, may lower exposure but does not eliminate the risk.
The study calls for urgent action from the manufacturer, including removal of the vulnerable discovery function and implementation of proper authentication mechanisms. It also recommends a broader security audit and the introduction of modern cryptographic protections across the product range.
The researcher further suggests collaboration with open source communities to accelerate deployment of firmware updates, particularly for systems not connected to vendor cloud platforms.
The findings add to growing scrutiny of cybersecurity in distributed energy systems, as increasing digitisation and connectivity expose new attack surfaces across the power sector.
Author: Bryan Groenendaal












