APsystems: Cloud vulnerability allowed firmware exchange

IT researchers took a closer look at a microinverter from APsystems, model EZ1-M. They discovered vulnerabilities that allow attackers to inject arbitrarily manipulated firmware.

Vulnerabilities in the cloud systems of inverter manufacturers are nothing new. All major and minor providers struggle with them. For example, Hoymiles had to fix security vulnerabilities in its cloud services in 2023, which could be used to destroy inverters. At the beginning of last year, IT researchers from Forescout took a closer look at photovoltaic systems and discovered 46 new vulnerabilities after initially collecting nearly 100 older known security flaws -- the majority of which affected solar monitoring systems and the cloud backends behind them. However, the current specific investigation uncovered some peculiarities using interesting methods.

Analysis using artificial intelligence

The employees of the small IT security firm Jakkaru from Kassel, North Hesse, have published their approach and a more detailed analysis. They examined the firmware of the ESP32-C2-based photovoltaic microinverter APsystems EZ1-M and found the address of the manufacturer's MQTT broker as well as two random strings in the context. Since reverse engineering the firmware was challenging, the IT researchers used disassembled C code, which they fed to the Gemini Pro AI for interpretation. This worked surprisingly well, making the connection process easy to understand. It turned out that the device serial number -- a continuous, predictable number -- is AES-encrypted together with apparently static keys, and the result is then Base64-encoded, finally serving as the username and password for the MQTT broker service, respectively.

During further analysis, they discovered MQTT topics used for “Over the Air” (OTA) firmware updates. Direct access with the generated credentials to subscribe to such MQTT topics was not possible. However, MQTT knows “Retained Messages.” These are immediately and persistently sent to clients as soon as they connect. An attack was therefore possible by malicious actors connecting to the MQTT broker with the created credentials, interrupting the connection of the genuine microinverter. Attackers then send an OTA update message with the “retained” flag, containing their own serial number. OTA update messages also contain a URL parameter as a download link for the firmware, which attackers can arbitrarily modify. After the connection is terminated, the inverter attempts to reconnect. It receives the message and starts the OTA update.

Based on their scans, the IT researchers estimate around 100,000 accessible EZ1-M inverters. However, other devices that use the same MQTT brokers could also be vulnerable. Attackers can use manipulated firmware to infiltrate networks, launch DDoS attacks, destroy devices, or destabilize power grids through mass device shutdowns, the employees further explain. APsystems was contacted in mid-November of the previous year, and they required until the end of February 2026 to close the security vulnerabilities and conduct tests. These specific vulnerabilities have therefore now been closed.

(dmk)