Security Vulnerability: Unauthorized Bluetooth Access to FoxESS H3-15.0-Smart Inverter
Posted: Wed Apr 01, 2026 5:00 am
It has been observed that the FoxESS H3-15.0-Smart inverter allows unauthorized access via Bluetooth. Any nearby individual with the mobile app can connect to the inverter without proper authentication and modify critical settings such as network configuration. This presents a serious security risk, as malicious users could disrupt system operation.
Affected Device:
Model: H3-15.0-Smart
Firmware Version: master V1.39, Slave V1.00, ARM V1.24, data logger V2.09
Description:
Two separate installations of the same inverter model were tested (mine and my neighbor’s). From my mobile device, I was able to:
This indicates that Bluetooth access is either:
Not secured by default, or
Uses a shared/default credential that is not enforced or visible to users
Security Impact:
This vulnerability allows any person within Bluetooth range to:
Steps to Reproduce:
Bluetooth connections should require authentication (PIN/password)
Each inverter should have a unique credential (not shared/default)
Ownership verification should be required before allowing network changes
Unauthorized users should not be able to access or modify settings
Actual Behavior:
No authentication required for Bluetooth connection
Full access to configuration settings is granted upon connection
Network configuration can be changed without ownership verification
Suggested Fixes / Recommendations:
This issue affects multiple units and is not isolated to a single installation, indicating a systemic design or firmware flaw. Given the potential impact on power systems, this should be treated as a high-priority security issue.
Conclusion:
Immediate action is recommended to secure Bluetooth access on FoxESS inverters. Without proper safeguards, this vulnerability exposes users to unauthorized control of critical infrastructure.
Affected Device:
Model: H3-15.0-Smart
Firmware Version: master V1.39, Slave V1.00, ARM V1.24, data logger V2.09
Description:
Two separate installations of the same inverter model were tested (mine and my neighbor’s). From my mobile device, I was able to:
- Discover the neighbor’s inverter via Bluetooth
- Connect to the inverter without any authentication prompt
- Access configuration settings
- Change network (WiFi) settings
This indicates that Bluetooth access is either:
Not secured by default, or
Uses a shared/default credential that is not enforced or visible to users
Security Impact:
This vulnerability allows any person within Bluetooth range to:
- Modify inverter configuration
- Disconnect the inverter from its intended network
- Redirect the inverter to a different network (as demonstrated)
- Potentially disrupt power generation or monitoring
- Cause denial of service by misconfiguring settings
Steps to Reproduce:
- Install the FoxESS mobile application
- Enable Bluetooth on the mobile device
- Open the app near a target inverter
- Scan for nearby devices
- Select a discovered inverter (not owned by the user)
- Observe that the connection is established without authentication
- Attempt to modify settings such as WiFi configuration
Bluetooth connections should require authentication (PIN/password)
Each inverter should have a unique credential (not shared/default)
Ownership verification should be required before allowing network changes
Unauthorized users should not be able to access or modify settings
Actual Behavior:
No authentication required for Bluetooth connection
Full access to configuration settings is granted upon connection
Network configuration can be changed without ownership verification
Suggested Fixes / Recommendations:
- Enforce mandatory authentication for Bluetooth access (PIN or password)
- Assign unique credentials per device (printed on unit or provided at setup)
- Require ownership verification before allowing critical changes (e.g., WiFi setup)
- Allow users to disable Bluetooth after initial configuration
- Implement access control levels (read-only vs admin)
- Add logging/alerts for unauthorized access attempts
- Provide firmware update to address this vulnerability
This issue affects multiple units and is not isolated to a single installation, indicating a systemic design or firmware flaw. Given the potential impact on power systems, this should be treated as a high-priority security issue.
Conclusion:
Immediate action is recommended to secure Bluetooth access on FoxESS inverters. Without proper safeguards, this vulnerability exposes users to unauthorized control of critical infrastructure.