Enphase Patches Solar System Vulnerabilities: Update Guide

In June, we wrote about a security vulnerability an anonymous researcher had discovered in Enphase’s solar inverter communications gateway and installer app.

As we said in June, the communications gateway bug was the most serious since it would theoretically let an attacker take control of the gateway:

“Successful exploitation of this vulnerability could allow an attacker to gain root access to the affected product.”

Meanwhile, the Installer Toolkit app – which installers use to register a new build with Enphase – could give an attacker access to the information available in the app.

At the time, no fix was available, meaning the only option to keep the systems safe was disconnecting them from the Internet.

On Friday, some good news arrived for Enphase installers and customers, with the company publishing fixes for the two bugs.

The Enphase advisory for its IQ Gateway 7.0.88 says the system can be patched by installing embedded software version 7.3.130/7.6.175 or newer.

SolarQuotes asked Jake Warner from Penrith Solar Centre (Enphase Installer of the year 2023) what consumers should do to install the update and double-check their firmware version:

“Because Enphase systems are always connected, they are constantly updated. Kind of like when you get in a Tesla, and it’s had a little overnight update.

If an Enphase system owner wants to check, they can do so via their Enphase App:
Menu

-System
–Devices
—Gateway

It will then tell them what version of Firmware they have. The latest update version is 7.6.175.”

Finn’s Enlighten app this morning. If you’re wondering why there is so much overnight consumption – it’s his car charging…

For solar installers, the Installer Toolkit bug was that a developer left behind credentials – their user ID and password – hard-coded in the software. If someone discovered those credentials, they could log into the app.

The Toolkit app has now been upgraded in both the Apple and Google Play stores, from version 3.27.0 to version 3.30.1 or newer, which revokes the hard-coded credentials.

Original Source: https://www.solarquotes.com.au/blog/enphase-patches-its-security-bugs/