Enphase Envoy PV Monitoring Device - I Distrust it

Request a hack or modification here:

So, you need a new wheelchair control for your nephew, someone here can figure it it. Maybe you want ambient lighting for your car to match the music, we've probably got someone here who does that.

No illegal "hacking" requests allowed and we are not responsible for the activities of the users. If you make an arrangement with another user, it is between the two of you.

Enphase Envoy PV Monitoring Device - I Distrust it

Postby fruzzetti » March 17th, 2014, 9:37 am

Greetings, dear community of brilliant tinkerers.

I have just installed a 4250W solar generator on my home. It's phenomenal. It's wonderful. Every day, my meter shows a few kWh less than the previous day. And the cost to finance was actually $55/mo less than my average monthly electricity bill, so I had immediate savings.

Here's something kinda cool: the system came with an Enphase Envoy monitor, which is a network-connected device which uses the power conditions to listen and judge performance of the inverters and panels. I plugged it in and saw that it records several statistics about the panels, including instantaneous, weekly, and lifetime production (which are the most important stats to me) as well as inverter and panel health.

But because I try to be security-minded, I have set up my firewall to block it from reaching the outside world.

The company who installed my system has called me and asked for the serial number so they could set up my system. I provided it. Then they called me back and asked if I would please plug it into my home router so they could "finish setup." Finish setup? I'm already selling electricity! Anyway, I explained that I would NOT be granting it internet access, but that it was working just fine.

Here's something seriously disturbing, at least to me: this is a full-fledged embedded linux box. It runs sshd as well as httpd. It attempts to open a VPN tunnel so outsiders can access its services (and, via this entryway, my private network as well).

envoy circuit board obverse (Custom).jpg


I'm guessing that PROBABLY, it is defaultishly security-minded at best.

envoy circuit board reverse (Custom).jpg


Get this: they have a SUBSCRIPTION service (free for one year), whereupon you plug in your device, and it uploads your solar performance data (and any number of other things I don't want to find out the hard way) so their equipment can prepare cute little graphs and charts (and so they can brag about their equipment and certainly to do nefarious things with the data). Seriously, they want me to pay them for my own production data? It seems backwards.

Anyway, it clearly has at least a JTAG port and four-pin serial port on the PCB, which one day I'll try to tap into and see what I can see.

My question: DOES ANYONE ELSE HAVE ONE OF THESE THINGS, AND IF YOU DO, HAVE YOU MANAGED TO GAIN ROOT ACCESS SO YOU CAN SEE WHAT'S GOING ON? HAVE ANY OF YOU CAPTURED ITS ENTIRE INTERNET COMMUNICATION STREAM AND FLIPPED THROUGH IT? Since it's a full fledged computer I don't control living on my network, it could most certainly enter promiscuous mode and capture initial SSL connections and thereby steal all my passwords and credit card data. Not saying it does that, but that it COULD. And by opening up a tunnel outside, it seems more likely than not that eventually someone will find the security flaw. Plus I bet it has a default root password and root login enabled by default.

What can I do to figure this machine out? I know some perl scripts exist to poll the data from my linux computer, which I'm considering doing, even though I don't really care.

I've asked the company to provide source code. They have not. Even though it's clearly a linux-derived operating system, they are illegally refusing to turn over the source code.

What do I do? Where do I go from here?

Thanks very much.
User avatar
fruzzetti
 
Posts: 100
Joined: March 26th, 2011, 8:50 pm
Location: California, US

Re: Enphase Envoy PV Monitoring Device - I Distrust it

Postby asheets » March 18th, 2014, 12:28 pm

I wouldn't trust it either. Any particular reason why it needs to be plugged into the network at all?
asheets
 
Posts: 298
Joined: February 17th, 2011, 4:30 pm

Re: Enphase Envoy PV Monitoring Device - I Distrust it

Postby Dans34 » March 19th, 2014, 5:53 am

could you use something like wireshark to listen into the packets its sending ?
Dans34
 
Posts: 40
Joined: June 15th, 2011, 8:09 am

Re: Enphase Envoy PV Monitoring Device - I Distrust it

Postby fruzzetti » October 3rd, 2014, 12:01 pm

Yes actually I have sniffed all packets and performed port scans.

Here's what I found out:

It wants to dig a VPN tunnel to XXX.XXX.XXX.XXX and open sshd to listen for inbound connections. It also sends some weird UDP packets. I can't say for sure it isn't trying to log passwords and that, but I don't think it is intentionally malicious.

It seems more like the company just didn't understand the inherent security risks in designing their device to open a hole in users' firewalls.

But how could you not have a competent technical advisor when you're already designing what seems to be a pretty customized embedded solution? I just can't wrap my brain around that one.
User avatar
fruzzetti
 
Posts: 100
Joined: March 26th, 2011, 8:50 pm
Location: California, US

Re: Enphase Envoy PV Monitoring Device - I Distrust it

Postby le_bresilien » November 4th, 2015, 10:45 am

fruzzetti wrote:Yes actually I have sniffed all packets and performed port scans.

Here's what I found out:

It wants to dig a VPN tunnel to XXX.XXX.XXX.XXX and open sshd to listen for inbound connections. It also sends some weird UDP packets. I can't say for sure it isn't trying to log passwords and that, but I don't think it is intentionally malicious.

It seems more like the company just didn't understand the inherent security risks in designing their device to open a hole in users' firewalls.

But how could you not have a competent technical advisor when you're already designing what seems to be a pretty customized embedded solution? I just can't wrap my brain around that one.


Hi,

I own also an Enphase System (M215 micro inverters & Envoy Energy Management Unit (EMU))
I have found this material to go ahead on this topic:
http://blog.oddbit.com/2012/02/13/enpha ... ta-format/
http://blog.oddbit.com/2012/02/22/capturing-envoy-data/
http://forum.solar-electric.com/discuss ... ata-access

Herafter information from Enphase documentation:
screenshot.77.png

For the last screenshot, to read UDP on last line (not FTP) as NTP is relayed on UDP not on TCP

Please let me know if you progress on this topic

Best regards
le_bresilien
 
Posts: 1
Joined: November 4th, 2015, 8:10 am

Re: Enphase Envoy PV Monitoring Device - I Distrust it

Postby Mars » March 16th, 2016, 3:36 pm

I have an Enphase system that was installed on my house in 2010. The Envoy has never been connected to the internet and failed after a few years. Now I have found several of the inverters have failed and it seems I have no way to troubleshoot it. Time for some hacking!

Has anyone tried hacking the power line communications (PLC) data between the invertors and envoy? I know Enphase was using Ariane Controls PLM-1 for PLC. It would be interesting to put a power line modem on the lines and see what the data looks like. It would be even more interesting to build my own Envoy replacement.

Mars
Mars
 
Posts: 1
Joined: March 16th, 2016, 1:02 pm


Return to Requests and commissions

Who is online

Users browsing this forum: No registered users and 2 guests