Affected Device:
Model: H3-15.0-Smart
Firmware Version: master V1.39, Slave V1.00, ARM V1.24, data logger V2.09
Description:
Two separate installations of the same inverter model were tested (mine and my neighbor’s). From my mobile device, I was able to:
- Discover the neighbor’s inverter via Bluetooth
- Connect to the inverter without any authentication prompt
- Access configuration settings
- Change network (WiFi) settings
This indicates that Bluetooth access is either:
Not secured by default, or
Uses a shared/default credential that is not enforced or visible to users
Security Impact:
This vulnerability allows any person within Bluetooth range to:
- Modify inverter configuration
- Disconnect the inverter from its intended network
- Redirect the inverter to a different network (as demonstrated)
- Potentially disrupt power generation or monitoring
- Cause denial of service by misconfiguring settings
Steps to Reproduce:
- Install the FoxESS mobile application
- Enable Bluetooth on the mobile device
- Open the app near a target inverter
- Scan for nearby devices
- Select a discovered inverter (not owned by the user)
- Observe that the connection is established without authentication
- Attempt to modify settings such as WiFi configuration
Bluetooth connections should require authentication (PIN/password)
Each inverter should have a unique credential (not shared/default)
Ownership verification should be required before allowing network changes
Unauthorized users should not be able to access or modify settings
Actual Behavior:
No authentication required for Bluetooth connection
Full access to configuration settings is granted upon connection
Network configuration can be changed without ownership verification
Suggested Fixes / Recommendations:
- Enforce mandatory authentication for Bluetooth access (PIN or password)
- Assign unique credentials per device (printed on unit or provided at setup)
- Require ownership verification before allowing critical changes (e.g., WiFi setup)
- Allow users to disable Bluetooth after initial configuration
- Implement access control levels (read-only vs admin)
- Add logging/alerts for unauthorized access attempts
- Provide firmware update to address this vulnerability
This issue affects multiple units and is not isolated to a single installation, indicating a systemic design or firmware flaw. Given the potential impact on power systems, this should be treated as a high-priority security issue.
Conclusion:
Immediate action is recommended to secure Bluetooth access on FoxESS inverters. Without proper safeguards, this vulnerability exposes users to unauthorized control of critical infrastructure.