The Hoymiles security flaw that the Chaos Computer Club and researcher Benedikt „Hunz" Heinz just disclosed is a genuine nightmare: HM, HMS and HMT inverters talk unencrypted over 868 MHz and 2.4 GHz, the serial number is the only „password", and every device happily shouts that serial in plaintext in response to an undocumented broadcast. That is enough to switch off, tamper with or permanently brick a neighbour's balcony solar system while driving past, and there is still no patch.
What's the deal? 🧐
The Chaos Computer Club, together with security researcher Benedikt Heinz (better known in the scene as „Hunz"), documented severe wireless flaws in Hoymiles inverters. And this is not a niche: Hoymiles serves roughly 20 percent of Europe's microinverter market, those little boxes that push solar power into the grid in balcony power plants and on countless rooftops. When something is fundamentally broken there, it affects hundreds of thousands of installations.
I first read about it on heise, and honestly my jaw dropped as I kept reading. This is not a „theoretically someone might", this is „with electronic junk from your parts bin, while driving past".
What makes the Hoymiles security flaw so nasty 🔓
The affected Wi-Fi-less devices talk to their control unit over Hoymiles' own „DTU protocol". DTU stands for Data Transfer Unit, the radio gateway that links the inverters to the cloud. Sounds harmless, but it is the heart of the problem: the radio traffic runs completely unencrypted over 868 MHz and 2.4 GHz, and instead of real cryptography only simple checksums protect the packets. Checksums that are trivial to recompute.
The real kicker is an undocumented broadcast command Hunz found in the firmware, internally called „Gongfa". Send that broadcast out and every reachable inverter dutifully answers with its serial number, in plaintext. And that serial number is at the same time the installation's only „password". Whoever has it can remote-control the inverter. It is roughly like a door lock that reads its own key aloud whenever you ask.
From a drive-by to a blackout: the attacks 🚗
With an off-the-shelf 2.4 GHz module and just 100 milliwatts of transmit power, Hunz still picked up the responses from around 350 metres away. During experimental „war-walking" through neighbourhoods, a modified scanner located two dozen foreign installations in about 20 minutes. From a car or a drone, that scales accordingly.
And then? Quite a lot is possible. With the serial number as the key, inverters can be switched on and off, feed-in and grid frequency can be altered, power limits manipulated and, this is the truly ugly part, complete firmware updates pushed. Twist the grid parameters in the „Grid Profile", or simply wipe the bootloader or entire flash sectors, and you can render devices permanently useless. The CCC explicitly warns of fires, electrical accidents and destruction of the hardware.
Scale that up mentally to whole streets and a single-device problem becomes a grid-stability problem: if many installations can be switched off or reconfigured all at once, that is not something a power grid enjoys.
The technical reports to dig into 📄
If you want the full detail: Hunz published two thorough technical reports, one on the wireless interfaces and the DTU communication, one on the critical over-the-air flaws around Grid Profile and firmware. Both are available as a direct PDF download from the CCC.
The disclosure itself followed responsible-disclosure rules cleanly: the flaws were formally reported on 12 March 2026 to Hoymiles, Germany's CERT-Bund and the Bundesnetzagentur. Only after that did it go public in July.
And Hoymiles? Irritated at best 😤
Now the part that annoys me most. According to the CCC, Hoymiles reacted to the reports „with irritation or not at all", and there is still no patch. At least the vendor has now announced it will ship a new inverter firmware with encryption in the autumn (September or October were mentioned). Whether and when that actually reaches the devices already installed is a different question entirely.
That is why the CCC demands binding minimum standards and a ban on feed-in devices in the EU that accept firmware updates over radio without cryptographic authentication. And honestly, that is the absolute minimum.
A small side effect of the announced encryption: community tools like OpenDTU, which many tinkerers use to read out their Hoymiles inverters independently of the cloud, will most likely be locked out too. Security, yes, but please not at the cost of openness.
What you can do right now 🛡️
The reality, briefly: there is no real fix right now, only damage control. Still, it is worth a look:
- Affected? Mostly HM, HMS and HMT devices without Wi-Fi. Note: the same technology sits inside identical devices sold under the brands E-Star, Solenso and TSUN.
- Set a theft-protection password. Hoymiles offers a password function in the app and DTU that at least makes open access harder.
- Increase the query interval. The less the system transmits, the smaller its attack surface.
- Physically disconnect if in doubt. If you want to be safe, take the modules off the grid briefly, especially when concrete attacks are being reported publicly.
None of this is a proper patch, but it lowers the odds that your installation becomes the next victim of a bored war-walker.
Why this bugs me 🤔
We are not talking about a forgotten debug flag in some niche hardware. We are talking about devices that hang directly on the power grid, are sold by the million and are remote-controllable by design, just without any serious protection. And the vendor reacts „with irritation". That reminds me a lot of another story I have written up here: that vendor security promises tend to break exactly when you rely on them.
The difference: with solar hardware it is not only about data privacy, it is about physical safety and grid stability. And there, „we might ship something in the autumn" is simply not enough.
Verdict 🚀
The Hoymiles security flaw is a textbook example of how not to do embedded security: unencrypted radio, the serial number as the password, an undocumented broadcast that reveals exactly that serial, and a firmware-update mechanism without signature checks. Together, that is enough to switch off or destroy a neighbour's balcony solar system while driving past.
Until there is a clean patch, the drill is: set a theft-protection password, raise the query intervals, keep an eye on the affected models and follow Hoymiles' announcements critically. And for the industry as a whole: on grid-coupled hardware, crypto is not a nice-to-have. Thanks to Hunz and the CCC for laying this out so mercilessly.