In June, we wrote about a security vulnerability an anonymous researcher had discovered in Enphase’s solar inverter communications gateway and installer app.
As we said in June, the communications gateway bug was the most serious since it would theoretically let an attacker take control of the gateway:
“Successful exploitation of this vulnerability could allow an attacker to gain root access to the affected product.”
Meanwhile, the Installer Toolkit app – which installers use to register a new build with Enphase – could give an attacker access to the information available in the app.
At the time, no fix was available, meaning the only option to keep the systems safe was disconnecting them from the Internet.
On Friday, some good news arrived for Enphase installers and customers, with the company publishing fixes for the two bugs.
The Enphase advisory for its IQ Gateway 7.0.88 says the system can be patched by installing embedded software version 7.3.130/7.6.175 or newer.
SolarQuotes asked Jake Warner from Penrith Solar Centre (Enphase Installer of the year 2023) what consumers should do to install the update and double-check their firmware version:
“Because Enphase systems are always connected, they are constantly updated. Kind of like when you get in a Tesla, and it’s had a little overnight update.
If an Enphase system owner wants to check, they can do so via their Enphase App:
Menu
-System
–Devices
—Gateway
It will then tell them what version of Firmware they have. The latest update version is 7.6.175.”
Finn’s Enlighten app this morning. If you’re wondering why there is so much overnight consumption – it’s his car charging…
For solar installers, the Installer Toolkit bug was that a developer left behind credentials – their user ID and password – hard-coded in the software. If someone discovered those credentials, they could log into the app.
The Toolkit app has now been upgraded in both the Apple and Google Play stores, from version 3.27.0 to version 3.30.1 or newer, which revokes the hard-coded credentials.
About Richard Chirgwin
RSS - Posts
So why is my firmware so out of date? It’s still showing 5.0.34. Do I need to change a setting or put in a request for the auto updates?
Jump on the Enphase Chat from the App/ web login & ask for an update – they don’t seem to do auto-updates.
Mmm, just checked this today, and still D5.0.55 – will follow up with my installer after a few more days.
Jumped onto Chat with Enphase, and Inverter firmware updated in 5 minutes. nice
Thanks for the info.
BTW my enphase gateway and my father in law’s are connected to enphase but aren’t being automatically updated. The version on my gateway was R5.0.55 and his is D5.0.55. I logged a support case and they upgraded mine to D7.4.28 a week ago.
I wonder how many gateways have never been upgraded and why they aren’t updated automatically.
BTW I noticed that the “Live Status” feature became available in the mobile app and in the new version of the webapp after they upgraded my firmware. Now I can see the real time instantaneous Producing, Consuming and Exporting numbers which is really nice. Using this feature it’s really easy to see how much power an individual appliance uses by checking the consumption value immediately before and after turning the appliance (like a kettle or ac) on.
The shift from 5.x to 7.x firmware will also break any existing home automation integrations for platforms like Home Assistant scraping the solar statistics API locally, this is due to the local authentication model shifting to a token based model which has an expiration period of 6 months for a system-owner account.
“ will also break any existing home automation integrations for platforms like Home Assistant ”
The HA community is working on a fix for that. Sadly it’s beyond my programming skill level.
The temporary fix does work properly for me, but it could be a while before it is officially included…. But so far so good.
The comms from Enphase has been sadly lacking around this. My Envoy went off line while I was looking at it. For a while I thought I had another failure, but after half an hour it was back up and I noticed the new firmware version – and that my HA system was not talking to it.
As other have mentioned – I can at least get the live page in the app, not that I use that much anyway. HA gives me much more relevant info.
My system is still at d5 firmware. Did on line chat yesterday with enphase support. They said they are working through the upgrades.
Had no explanation as to why there had been no upgrades d5 d6 to d7?
Their automatic upgrades apparently do not work.
I remain incredibly concerned that this could happen in the first place. We must consider the cyber security risks of any product, especially ones hooked up to home WIFI
I wrote in the previous Enphase article, the following:
I have now been upgraded by my installer, from d5.0.55 to d7.6.175, which should mean that vulnerability has been dealt with. However, this was not an automatic process – I had to request it.
Something to watch out for – chase Enphase and or your installer. Updates do not work like a computer/phone. Also note that users are not advised of fixes/issues – thankfully Solarquotes was the communication method I found out about this.
After stumbling on this post I was surprised to look at my own Enphase system and see it running the old D5.0.55 build (dated September 2020).
Not the least of which given that not only was my system was installed in late 2022, it was also installed by the very same Penrith Solar Centre claiming these things are ‘constantly updated’…even the 5.0.64 build was over a year old at install time.
Perhaps we have differing opinions of what ‘constant updates’ mean.
Enphase support upgraded me remotely with no hassle, but clearly both the vendors and the installers need to do way better at being proactive.