Is your rooftop solar spying on you? Technically, yes, but will it be for good or evil? There is growing evidence that cheap Chinese systems may include undocumented devices that could do much harm.
No, this is not a ‘sky-is-falling’ (perceived danger is exaggerated) opinion piece. On 16 May 2025, the Daily Telegraph and its Australia-wide cohorts reported that global news agency Reuters had reported that US Energy Officials had discovered undocumented communication devices in Chinese batteries and inverters. This could switch off inverters and destabilise the power grid, causing widespread blackouts.
Fact
- Reuters is not prone to sky-is-falling stories.
- Almost all solar inverters and batteries are Chinese-made.
- The CCP (Chinese Communist Party) can direct any Chinese company to comply with its requests – there are no options.
- Inverters require the capability to connect to home Wi-Fi and the internet. Some have cellular and Bluetooth options as well.
- That capability includes remote management and diagnostics (backdoors).
- Household solar or battery storage systems fall below thresholds where security requirements typically kick in, despite now contributing a significant share of power on many Western grids.
Unknown
- Are there any safeguards against nefarious use, e.g., manipulation by the CCP?
At present, about 4 million homes have rooftop solar and renewable energy. Minister Bowen expects that 22,000 solar panels daily (1000 homes) will be needed to reach renewable energy targets by 2030.
The Telegraph reported that a leading Australian renewable energy supplier stated, “I am telling you, this is a trainwreck.”
Likelihood
This is pure speculation based on the premise that if you throw enough mud, some sticks. We don’t want to add to the mass hype it creates, just present the facts.
March 27, 2025: Researchers from Forescout Vedere Labs have identified 46 security vulnerabilities called SUN:DOWN in inverters by Sungrow, Growatt, and SMA—three of the world’s top six solar inverter manufacturers. These included unauthorised access to resources in cloud platforms, remote code execution (RCE), device takeover, information disclosure, physical damage, and denial of service.
Update May 15: In total, 93 known vulnerabilities were identified, with 80% classified as high or critical severity, scoring between 9.8 and 10 on the CVSS scale. These vulnerabilities pose significant risks, allowing for potential attacks on power grids and smart-home devices.
“Taking control of Growatt inverters is easier via the cloud backend… a threat actor has access to the inverter’s configuration parameters and can modify them”.
Apart from disrupting a power grid, the vulnerabilities can impact user privacy, hijacking smart devices in the house that may be controlled through the vendor’s cloud platform, or even ransomware attacks by holding the devices hostage until a ransom is paid.
The companies concerned have allegedly patched the vulnerabilities in the hardware, clouds, and apps. The question is whether those patches reach the majority of the massive installed base.
How do you know if a brand is safe?
Mike Rogers, a former director of the U.S. National Security Agency, said:
“We know that China believes there is value in placing at least some elements of our core infrastructure at risk of destruction or disruption. I think that the Chinese are, in part, hoping that the widespread use of inverters limits the options that the West has to deal with the security issue.”
There are hundreds (if not thousands) of Chinese inverter and battery manufacturers that use cookie-cutter Linux (or worse still, Huawei Harmony OS) control systems and apps that will never patch their devices. Most use Chinese clouds that the CCP has command over.
It is the same issue with Chinese-made security cameras, routers and IoT. Sell and forget.
Our call is that larger global companies like Enphase (US-owned) will ensure that any of their products assembled in China are secure because they would have too much to lose. Enphase’s app is wholly developed in-house. It uses the independent UpGuard to monitor its Security and has a good cybersecurity policy.
Will it ever be safe?
In November, solar power inverters in the U.S. and elsewhere were disabled remotely from China. This highlights the risk of foreign influence over local electricity supplies and causes concern among the government. Reuters was unable to determine how many inverters were switched off or the extent of disruption to grids. The DOE declined to comment on the incident.
The incident led to a commercial dispute between inverter suppliers Sol-Ark and Deye.
U.S. Representative August Pfluger, a Republican member of the Committee on Homeland Security, said:
The threat we face from the Chinese Communist Party (CCP) is real and growing. Whether it’s telecom hacks or remotely accessing solar and battery inverters, the CCP stops at nothing to target our sensitive infrastructure and components”.
1Komma5 Chief Executive Philipp Schroeder said:
China’s dominance is becoming a bigger issue because of the growing renewables capacity on Western grids and the increased likelihood of a prolonged and serious confrontation between China and the West. If you remotely control a large enough number of home solar inverters and do something nefarious at once, that could have catastrophic implications for the grid for a prolonged period”.
Legislation is starting to happen
The new US Decoupling from Foreign Adversarial Battery Dependence Act bans purchasing batteries/inverters from some Chinese entities, due to national security concerns. It will start in October 2027, as it will take time to implement and identify suspect Chinese manufacturers. The following companies are already on the list.
Batteries
- Contemporary Amperex Technology
- BYD
- Envision Energy
- EVE Energy
- Hithium Energy Storage
- Gotion High-tech
Inverters
It is likely to include inverters from Huawei, Sungrow and Ginlong Solis and their hundreds of white-labelled brands.
The U.S. Department of Energy (DOE) has begun work on a Software Bill of Materials (SBOMs)– or inventories of all the components that make up a software application – and other contractual requirements to try and restore ‘trust in the grid’. Regrettably, legislation may specify that batteries and inverters cannot be hacked, but the reality is that laws mean little to overseas interests or cybercriminals!
Other countries are acting quickly.
The Australian Government has been aware of this issue since early 2023. It has said and done nothing.
Lithuania and Estonia acknowledge the threats to energy security. In November 2024, the Lithuanian government passed a law blocking remote Chinese access to solar, wind and battery installations…by default restricting the use of Chinese inverters.
Estonia’s Director General of the Foreign Intelligence Service, Kaupo Rosin, said China could blackmail the country if it did not ban Chinese technology in crucial parts of the economy, such as solar inverters and batteries.
In Britain, the government’s review of Chinese renewable energy technology in the energy system includes inverters and batteries. Results soon!
NATO, the 32-country Western security alliance, said China’s efforts to control member states’ critical infrastructure, including inverters, were intensifying. “We must identify strategic dependencies and take steps to reduce them,” said a NATO official.
CyberShack’s view: Rooftop Solar spying on you – absolutely no question
Every rooftop battery and inverter has some form of communication and can call home. All have remote management capabilities. There is no question that a cyberattack could disable the rooftop system and, on a larger scale, bring down the energy grid.
Will it happen? My dad once said you can tell how honest a person is by what they will do if they know they can’t be caught (or don’t care).
We are likely safe in the short term. Still, if global tensions escalate, particularly between the West and China (and they could quickly over Taiwan), cyber warfare is inevitable.
But it won’t just be batteries and inverters. It will be every Chinese-made EV, mobility device, security camera, router, IoT, smartphone, and more.
We will read that a country has bloodlessly conquered another via an announcement in the daily newspaper.
Until then, resist the temptation to go cheap and look closely at the pedigree of the battery and inverter supplier, and get proof that the app cloud is not in China. Try to be the one house in the street that is safe!
CyberShack rooftop solar series – a must-read for anyone contemplating rooftop solar.
Rooftop Solar spying. Rooftop Solar spying
1 comment
Alex
THANK YOU