Greetings, dear community of brilliant tinkerers.
I have just installed a 4250W solar generator on my home. It's phenomenal. It's wonderful. Every day, my meter shows a few kWh less than the previous day. And the cost to finance was actually $55/mo less than my average monthly electricity bill, so I had immediate savings.
Here's something kinda cool: the system came with an Enphase Envoy monitor, which is a network-connected device which uses the power conditions to listen and judge performance of the inverters and panels. I plugged it in and saw that it records several statistics about the panels, including instantaneous, weekly, and lifetime production (which are the most important stats to me) as well as inverter and panel health.
But because I try to be security-minded, I have set up my firewall to block it from reaching the outside world.
The company who installed my system has called me and asked for the serial number so they could set up my system. I provided it. Then they called me back and asked if I would please plug it into my home router so they could "finish setup." Finish setup? I'm already selling electricity! Anyway, I explained that I would NOT be granting it internet access, but that it was working just fine.
Here's something seriously disturbing, at least to me: this is a full-fledged embedded linux box. It runs sshd as well as httpd. It attempts to open a VPN tunnel so outsiders can access its services (and, via this entryway, my private network as well).
I'm guessing that PROBABLY, it is defaultishly security-minded at best.
Get this: they have a SUBSCRIPTION service (free for one year), whereupon you plug in your device, and it uploads your solar performance data (and any number of other things I don't want to find out the hard way) so their equipment can prepare cute little graphs and charts (and so they can brag about their equipment and certainly to do nefarious things with the data). Seriously, they want me to pay them for my own production data? It seems backwards.
Anyway, it clearly has at least a JTAG port and four-pin serial port on the PCB, which one day I'll try to tap into and see what I can see.
My question: DOES ANYONE ELSE HAVE ONE OF THESE THINGS, AND IF YOU DO, HAVE YOU MANAGED TO GAIN ROOT ACCESS SO YOU CAN SEE WHAT'S GOING ON? HAVE ANY OF YOU CAPTURED ITS ENTIRE INTERNET COMMUNICATION STREAM AND FLIPPED THROUGH IT? Since it's a full fledged computer I don't control living on my network, it could most certainly enter promiscuous mode and capture initial SSL connections and thereby steal all my passwords and credit card data. Not saying it does that, but that it COULD. And by opening up a tunnel outside, it seems more likely than not that eventually someone will find the security flaw. Plus I bet it has a default root password and root login enabled by default.
What can I do to figure this machine out? I know some perl scripts exist to poll the data from my linux computer, which I'm considering doing, even though I don't really care.
I've asked the company to provide source code. They have not. Even though it's clearly a linux-derived operating system, they are illegally refusing to turn over the source code.
What do I do? Where do I go from here?
Thanks very much.