The increasing adoption of balcony solar power systems represents a positive step towards decentralized, renewable energy. However, as these systems become more integrated into our homes and the national power grid, cybersecurity becomes more important than ever. As part of our cybersecurity mission at Jakkaru, we investigated the security of these systems and discovered significant vulnerabilities affecting major resellers and prominent inverter manufacturers.

The Growing Risk of Connected Energy Devices

Balcony power systems are appealing devices for consumers, but from a cybersecurity standpoint, they introduce new risks. To provide modern features like performance monitoring and remote control via smartphone apps, these inverters are connected to the internet. While convenient, this connectivity exposes them to potential attacks. A widespread, coordinated shutdown of these devices could have a destabilizing effect on the power grid, making their security a matter of public interest.

Many consumers purchase their solar setups as complete kits from resellers. These companies often provide a branded mobile app for managing the system, which means they store sensitive data about their customers and their devices.

Our investigation of one such company quickly revealed critical flaws. Within two hours, we identified a vulnerability in their platform that allowed us to elevate a standard user account to full administrative privileges. This gave us access to the company's entire administrative dashboard.

This allowed us to view and download the data of all registered users, approximately 84,000 in total. The exposed information was highly sensitive:

• For roughly 41,000 users, the database contained their home Wi-Fi network name and password in plain text.

• For approximately 23,000 users, the precise GPS coordinates of the inverter were also stored.

The combination of a user's home location with their Wi-Fi credentials presents an extreme security risk. It provides a direct path for an attacker to access the private home networks of tens of thousands of individuals and businesses. This raises serious questions about the necessity and security of storing such sensitive information.

Flaws in Manufacturer Platforms

APsystems is a well-known manufacturer of microinverters, including their popular EZ1-M series. We analyzed the mobile app they provide for managing these devices, "AP EasyPower" and discovered a fundamental security oversight. Some inverters had an attribute set, that made them accessible by all user accounts, including demo accounts. The system's backend did not verify if a user was actually authorized to control the inverter they were sending commands to. This meant that anyone who knew a device's unique ID could control it.

While this would be a minor issue if the IDs were random and difficult to guess, they were not. The inverter IDs followed a small number of predictable patterns. By systematically testing these patterns, we could identify active devices. Our scan, which took roughly 24 hours, confirmed the existence of approximately 100,000 vulnerable inverters from this series alone. For each of these devices, it was possible to retrieve owner information and, most critically, remotely shut down or restart the inverter.

Sunways

A similar investigation into the manufacturer Sunways yielded equally concerning results. Sunways provides a web portal for customers and resellers to monitor their solar installations. To allow potential customers to explore the platform, they offer a public demo account.

We found that this demo account had been misconfigured and possessed full administrator rights over the entire platform. This level of access allowed us to view and control every solar installation managed through their system. We identified approximately 44,000 affected solar installations, all of which could be remotely switched on or off through this single, unsecured demo account.

Data Visualization

What follows are visualizations of all inverters in Europe and the Philippines. Please note that not all inverters are shown. Since some are missing GPS data.

Implications

The findings from this and other investigations highlight a troubling lack of basic security measures across the consumer solar industry. Flaws such as missing authorization checks, insecure data storage practices, and overly permissive account configurations put consumers and critical infrastructure at significant risk. Manufacturers and resellers must prioritize the security of their products to ensure the safe and reliable growth of decentralized energy production.

Responsible Disclosure

As a cybersecurity company, responsible disclosure is most important to us. Unfortunately to this date APsystems did not reply to our mails. We notified the German BSI-CERT about our findings. They acknowledged the misconfigurations at APsystems and Sunways but did not initiate a responsible disclosure procedure. The reseller quickly fixed the vulnerabilities after our report.

10.07.2025: Vulnerability report sent to Sunways and APsystems
11.07.2025: Notifying BSI-CERT about our findings
14.07.2025: Asking for update from Sunways
22.07.2025: Contacting BSI-CERT again after no response from APsystems and Sunways
28.07.2025: Contacting Sunways and APsystems employees on LinkedIn
31.07.2025: BSI-CERT asking for proof-of-concept script
19.08.2025: BSI-CERT responding, saying the findings do not qualify for a CVD
19.08.2025: Notifying BSI-CERT about the disclosure date
17.10.2025: Notifying Sunways and APsystems about the disclosure date, offering more time if needed 
27.10.2025: Notifying Sunways once again through different mail addresses found via the user API
28.10.2025: Final report sent to Sunways
29.10.2025: Sunways replying saying it will be fixed
05.11.2025: Sunways notified us that the vulnerabilities are fixed