Scott Leggett Cracks a GoodWe Solar Inverter, Smart Meter for Local Prometheus Monitoring

Security engineer Scott Leggett has recently had rooftop solar installed, and wanted to get metrics out of the supplied inverter — setting off a months-long investigation that "reinforced [his] prejudice that IoT [Internet of Things] devices are horribly insecure," though at least delivered on the monitoring front.

"I got a solar PV system installed in my house in mid 2023. I did the bare minimum of research beforehand — just talked to a couple of different installers about pricing, sizing, and the economics of a battery," Leggett writes in a post on the subject, brought to our attention by Adafruit. "One thing I certainly did not do is any research into brands and their relative hackability or security merits. I just specified that I wanted to monitor the devices and see some metrics."

The installed delivered a GoodWe DNS G3 Inverter and matching HomeKit 1000 Smart Meter, which Legget describes as slick-looking but that proved somewhat troublesome on the monitoring front. First, no metrics were immediately readable: instead, you have to connect the devices to your home network, then to GoodWe's cloud, then sign up for an account on same, and then tell your installer your account email address — so they can email GoodWe and have it linked to the devices, a process that Leggett found took "a day or so."

After this, data from both the solar inverter and smart meter were available on the GoodWe cloud — but Leggett was hoping for something running locally that triggered a hunt into how the hardware, not supported by any currently-released libraries and tools, could be convinced to give up its secrets.

Some initial experimentation with network mapping tool nmap revealed an open Telnet port, which responded to the username admin with a matching password — though a second scan in a more aggressive mode proved enough to crash the smart meter and reset it to factory defaults, which isn't exactly ideal. Sadly, the Telnet interface wouldn't provide metrics — but network packet capture could, if the packets weren't encrypted.

After dumping and decoding the firmware, Leggett stumbled upon a presentation from a member of the Melbourne Linux User's Group that detailed an exploitable glitch: if the network connection goes down, the hardware will buffer messages and transmit them when the connection comes back — with duplicated cipher text, which suggested AES-CBC encryption. Some more experimentation found exactly what the key was: nothing but 0xff, repeated for 16 bytes. "Of course," Leggett writes. "The key was just all bits set. Why not!?"

With the encryption key in hand, Leggett was able to decode the captured packets — using the cloud portal as an "oracle" to figure out where in the packets each metric was stored. These data could then be extracted for local use with a man-in-the-middle Prometheus exporter, without having to query the remote portal. "The nice thing about this design is that you still get metrics in SEMS Portal," he explains. "These metrics are visible to your installer, so if you have problems it is easy for them to troubleshoot.

"This exercise has reinforced my prejudice that IoT devices are horribly insecure. In the case of GoodWe, where they even have authentication, they use fixed default passwords such as admin, and leave Telnet debug interfaces listening on their production devices," Leggett concludes. "Although the metrics protocol and encryption scheme are insecure, I didn’t find anything that could really be described as a security vulnerability as opposed to a design decision."

The full write-up is available on Leggett's website, while the exporter has been published to GitHub under the permissive Apache 2.0 license.