Solar inverter security: cloud risks, kill switch and local control

On November 15, 2024, thousands of solar power plant owners in the United States, Britain, and Pakistan woke up without electricity. The sun was shining on the panels, the inverters were working, the wires were intact — but an error message was displayed on the screens, and the plants simply would not turn on. It turned out that the Chinese manufacturer Deye had remotely turned off its own inverters due to a trade conflict with its American distributor Sol-Ark. With a single batch of commands from a server in China. Without any warning to end users, who had no idea whose brand they had on their walls.

This story is important not because it is a conspiracy theory, but because it is commonplace. There were no hackers, no intelligence, no “bookmarks” - the manufacturer simply used the mechanism that it itself built into the product: the ability to reach your device at any time via the cloud and change its behavior. If it can be done for the sake of a commercial dispute, then technically it can be done for any other reason.

Two different levels of risk

When people talk about the "danger of cheap Chinese inverters," they are actually mixing up two separate problems, and they need to be dealt with differently.

The first level is cloud-based. The inverter is constantly in touch with the manufacturer's server: it sends telemetry, receives settings, and receives firmware updates. While this channel is working, the switch is not physically located with you, but in a data center thousands of kilometers away. The Deye case is an example of when the vendor itself took advantage of this. A separate story is May 2025, when Reuters reported that American specialists, while disassembling a number of Chinese inverters and batteries, found undocumented communication modules inside, including cellular radio modems that are not in the specifications. Theoretically, such an "extra" channel allows you to bypass the corporate firewall that the network operator puts in place precisely to prevent the inverter from "calling home." It is worth remaining sober here: the story is based on anonymous sources, and no evidence that these modules have already been used maliciously has been publicly presented. But the very fact that the US and EU governments began to act proactively suggests that the risk was recognized as real, not newsworthy.

The second level is ordinary vulnerabilities. Neither an evil manufacturer nor a state is needed here. Mediocrely written code is enough. In the spring of 2025, Forescout published the SUN:DOWN study, in which it analyzed the products of the six largest market players — Huawei, Sungrow, Solis, Growatt, GoodWe, and the German SMA. They found 46 new vulnerabilities, and together with the already known ones — about 93, where 80% had a high or critical level with a CVSS score of up to 9.8–10. Among the findings: unauthorized access to other people's objects in cloud APIs (IDOR), cross-site scripting in web panels, the ability to upload an arbitrary file and execute code on the server, passwords embedded in the code, unverified certificates in the mobile application, buffer overflow in the Wi-Fi dongle, and — most unpleasantly — firmware updates "over the air" without any authentication. The latter means that an attacker could, in principle, insert their own firmware into the inverter and establish themselves in it forever.

What is particularly frightening is not the fact of the holes themselves, but the arithmetic of the network. According to the same researchers, in order to lower the frequency of the European power system to the point at which emergency load shedding is activated, it is enough to control approximately 4.5 GW of power. Against the background of ~270 GW of solar generation in Europe, this is less than 2% of inverters. That is, a coordinated botnet of several percent of hacked devices is no longer a problem of one household, but a question of the stability of an entire country.

Can we just abandon the cloud?

The short answer is: mostly yes — and it’s the most effective step an owner can take on their own. The long answer is more complicated, because “going cloud-free” means different things for monitoring and for management.

Almost any inverter can capture data locally today. Most models have an RS485 port and communicate using the Modbus RTU protocol — an industry standard that does not depend on any server. The most popular scheme in the Home Assistant community looks like this: a penny bridge based on ESP32 or ESP8266 with a MAX485 chip is connected to the A/B terminals of the inverter, the ESPHome firmware is loaded into it, and the device starts sending telemetry via MQTT directly to your local automation system. Not a single byte goes outside. For brands such as Solplanet, Solis, Growatt, SolaX, FoxESS, the community has already collected ready-made configs with register maps — it remains to repeat. Some inverters (Huawei, SolarEdge) support Modbus TCP over Ethernet, which is even easier. And if you don't want to dig into the insides at all, there is a brand-independent way - overhead current clamps like Shelly 3EM or Iotawatt, which read the real current on the wire and don't care at all about what's in the inverter's firmware.

The situation with control is more subtle. It is also possible to limit the output power, control the battery charge, synchronize the clock via local Modbus - enthusiasts even create a "man in the middle" (MITM), which intercepts the exchange between the inverter and the meter in order to impose their logic. But there are limits that cannot be removed: the functions of compliance with the network code (voltage and frequency thresholds, shutdown time, behavior in case of network failures) are built into the firmware and regulated by law. This is not a whim of the vendor, but a security requirement, and that is why no one will give you full control over the "brains" of the grid-tie inverter.

Therefore, the correct strategy is not to “take all the intelligence out of the inverter,” but to isolate it from the internet and leave it smart only locally . In practice, this means:

Move the inverter and its Wi-Fi/Ethernet dongle to a separate VLAN for IoT, completely cut off from the rest of the home network.
On the router, block any outgoing traffic to the Internet for this VLAN — let it "call home" as much as it wants, the packets won't go anywhere.
Or disconnect the standard cloud dongle altogether and work only through the local RS485 bridge.
All analytics, automation, and notifications are collected on the Home Assistant that runs in your home.

This architecture eliminates both levels of risk at once. The manufacturer can no longer turn off your inverter on command or push an “update” because there is no physical way to the device from the outside. And even if there is a vulnerability in the firmware, no one can exploit it until the inverter is exposed to the Internet.

An honest nuance: the price of this is the loss of a convenient factory application, remote warranty diagnostics, and automatic updates. For some, this is an acceptable trade-off, for others, it is not. But at least the choice becomes yours, not the vendor's.

What if we take a "branded" inverter with an office in the EU?

Here, the owners often face a major misunderstanding. Solplanet, GoodWe, Sungrow do indeed have representative offices, warehouses, and service in Europe — but this is a marketing and logistics presence, not a change of jurisdiction or origin. Solplanet is a brand of AISWEI, a company part of the Chinese Chint group. GoodWe is a Chinese company from Jiangsu. Sungrow is a Chinese giant from Hefei, whose founder Cao Zhenxian is publicly linked to industry structures under party control. A European office does not make an inverter “European”: both the production, the parent company, and — most importantly — the legal framework in which it is obliged to cooperate with its own special services remain the same.

Does this mean that overpaying for them makes no sense? No. It’s just that overpaying doesn’t buy immunity, but accountability . And this is not an empty word. The same Forescout study showed that Sungrow and the German SMA closed the vulnerabilities they found quickly and issued public bulletins, while Growatt reacted long and reluctantly. The European office is the one to whom you can file a claim under the GDPR, who gets the requirements of the Cyber Resilience Act, the Radio Equipment Directive, and the ETSI EN 303 645 standard, who has a reputational incentive to sign firmware and promptly patch holes. A cheap, nameless inverter from AliExpress does not have such a “responsibility addressee” at all.

At the same time, you should not confuse more expensive with safer. The most telling detail of the entire study is that vulnerabilities were also found in SMA, the only European manufacturer in the sample. The origin of the brand is no guarantee: people write code everywhere, and they make mistakes everywhere. A brand with an office in the EU reduces the likelihood of a deliberate “switch” and increases the chance of a quick patch, but does not exempt you from the same homework with network isolation.

The regulatory background only confirms that the topic is serious. The EU has already classified inverters as a "high-risk dependency," the review of the Cyber Resilience Act was deliberately slowed down precisely because of China's dominance in the market, and in the spring of 2026, Brussels openly spoke about a possible restriction of "high-risk" inverters from a number of countries. That is, even at the state level, they are betting not on faith in the honesty of the vendor, but on reducing dependency and strengthening control.

What to take away from all this?

Think of an inverter not as a household appliance, but as an internet-connected computer that powers your home. In this logic, priorities are simple.

The biggest lever is in your hands, and it's free: cut off the inverter from the cloud, isolate it in a separate network segment, and control it locally via Home Assistant via Modbus. This removes both the risk of remote shutdown and the lion's share of the risk of hacking, regardless of whose logo is on the case.

The brand matters in second place — as a choice of whom you trust with accountability. A manufacturer with a real office in the EU, a history of quickly closing vulnerabilities, and support for local protocols is better than a no-name inverter not because it is “not Chinese,” but because there is someone to ask about it and it technically allows you to isolate yourself.

And the worst case scenario is a cheap inverter without local access that can only work through a closed cloud application. It combines both levels of risk and does not give you any tools to protect yourself. If the choice is between such a device and a slightly more expensive one, but with RS485 and a clear vendor, the difference in price is already paid for by the very opportunity to hold the switch yourself.