Unprotected Over the Air: The Security Flaws in Hoymiles Inverters
Microinverters made by the Chinese manufacturer Hoymiles can be detected, switched off, and permanently disabled with a radio module costing a few euros, from several hundred metres away. The cause is a proprietary radio protocol with no encryption at all. A security researcher has demonstrated the attacks on his own devices.
- The radio protocol used by Hoymiles inverters has no cryptography at all: the only barrier is the serial number, and every inverter reveals it in plain text in response to an undocumented broadcast command.
- Affected are the HM, HMS, and HMT series without Wi-Fi, as well as identical devices sold under the brands E-Star, Solenso, and TSUN; radio range reaches up to roughly 350 metres.
- Under current law this is not a violation: the strict EU Cyber Resilience Act requirements for signed updates only take effect in December 2027.
Inverters convert the direct current from solar panels into standard grid alternating current. In balcony and smaller rooftop solar systems, this job usually falls to microinverters, compact units mounted directly at the panel. Hoymiles leads this market segment and says it supplies around 20 percent of the European market. Germany currently has roughly 1.4 million registered balcony solar systems, a significant share of them running Hoymiles hardware. That reach is exactly what makes the new findings serious. Security researcher Benedikt Heinz, known in the scene as “Hunz”, uncovered the flaws together with the Chaos Computer Club (CCC) and described them in two technical reports.
How does the attack work?
Hoymiles controls Wi-Fi-less inverters through its own “DTU protocol.” DTU stands for Data Transfer Unit, the radio gateway that connects the devices to the cloud. Hobbyists behind the open-source projects OpenDTU and AhoyDTU reverse-engineered this protocol starting in 2021 to read out their systems without the manufacturer’s cloud. That work revealed early on that the protocol encrypts nothing at all — no confidentiality, no integrity, no authenticity.
The only barrier is the device’s serial number, specifically its last eight digits. Whoever knows it can send commands. This was considered low-risk, since attackers normally don’t know the serial number of someone else’s system. Hunz disproved that assumption. He found an undocumented broadcast command in the firmware, internally called “Gongfa.” Every reachable inverter responds to this broadcast with its serial number in plain text — the supposedly secret barrier arrives gift-wrapped.
The HM series transmits on 2.4 GHz, the HMS and HMT series on 868 MHz. The range is considerable. According to the report, Hunz picked up responses from around 350 metres away, using an off-the-shelf 2.4 GHz module with 100 milliwatts of transmit power. In one of his own test runs, his self-built scanner found 24 foreign inverters along with their serial numbers within 20 minutes. For a neighbourhood in Augsburg, the trade portal cleanthinking, citing research by the weekly newspaper “Die Zeit,” reports 42 exposed systems within a single hour. Because the attack hardware is small enough to build compactly, it could even be mounted on a drone.
What can attackers actually do?
With the serial number in hand, an inverter can be switched on and off, and its output power adjusted. Two further findings from the second report are more serious: both the grid profile and the firmware can be changed over the air. The grid profile sets the parameters under which the device feeds power into the grid — voltage and frequency limits, and anti-islanding protection. Anti-islanding protection disconnects the feed-in the moment the public grid fails, protecting, for example, service technicians working on lines assumed to be dead.
Hunz was able to alter this profile: the protocol secures it only with a checksum (CRC) against transmission errors, not with a signature against deliberate tampering. An attacker can change the profile and simply recalculate the checksum. The firmware attack goes further still. The inverter accepts firmware updates over the air without any additional authentication, relying solely on the serial number. Hunz uploaded a custom firmware to his test device that switched the relay and LEDs on a continuous loop. He was also able to erase specific memory regions, including the bootloader, the device’s startup program.
After that, the inverter no longer ran and could only be recovered by opening the housing and rewriting it via the JTAG interface. This is a point where precision matters. Permanently disabling a device by erasing its memory — bricking — is something Hunz demonstrated on his own hardware; that much is proven. Physical destruction through electrical overload, by contrast, appears in the report only as a theoretical possibility — a footnote even concedes that the inverter’s grid monitoring would likely catch an overload attempt and simply shut the device down. Hunz also did not test the electrical consequences of a disabled anti-islanding function; he lacked a suitable test setup. What’s proven, in other words, is bricking, not fire.
Which devices are affected, and how many?
Hunz tested the HM-400 and HMS-600 models as representative samples. He lists the entire HM, HMS, and HMT series, across their various power classes, as potentially vulnerable; several model IDs responded during testing. Because many devices share the same model identifier, he assumes broad exposure. An important point for buyers: Hoymiles hardware also ships under other brand names. Hunz specifically names E-Star (for the HERF models), Solenso, and TSUN.
Anyone running one of these devices could be affected without ever having read the name Hoymiles. Newer devices with Wi-Fi and Bluetooth connectivity plus a password are, as far as is currently known, not vulnerable in the same way; whether they contain additional safeguards, the researcher could not conclusively determine. How many of the registered balcony solar systems run vulnerable Hoymiles hardware cannot be quantified.
How are the manufacturer and regulators responding?
The disclosure process dragged on. Hunz’s first call to Hoymiles Germany failed to get through; a callback did happen, but explaining the problem in both German and English proved unsuccessful. Formal notification to Hoymiles, Germany’s CERT-Bund, and the Federal Network Agency followed in mid-March 2026. As haus-garten-test and cleanthinking both report, citing the Zeit investigation, the CCC and Germany’s Federal Office for Information Security (BSI) had already contacted the manufacturer starting in February — without a response.
Only after the BSI brought in its Chinese counterpart, CNCERT, did Hoymiles respond in late June, saying the earlier emails had gone astray. By then the CCC had already gone public with the flaws and called for binding minimum IT security standards for grid feed-in devices. Regulators take a cautious view of the grid risk: grid operators, they say, could absorb a coordinated shutdown of many systems. The Federal Office for Information Security (BSI) takes a more critical stance: a spokesperson described a “significant risk potential” in inverters from Chinese manufacturers. Hunz himself declines to assess the grid risk, saying he lacks the broader picture — that assessment, he says, belongs to regulators and grid operators. This is not the first time Hoymiles has drawn scrutiny: back in 2023, a flaw surfaced in the manufacturer’s S-Miles cloud service, which was closed after it became public.
What will the announced patch fix — and what won’t it?
Hoymiles has announced an update for mid-October. The evidence for this is limited: no official security advisory referencing these flaws exists. In an online community forum, developers quote an internal Hoymiles announcement stating that new firmware will make it impossible for OpenDTU to manipulate the inverters in any way. That post mentions September as the timeframe, contradicting the October date reported in the media. Two things stand out. First, the announcement is framed primarily as a lockout of third-party software, not as a security fix for customers. Second, the community’s reading is that the encryption may apply only to the Wi-Fi models, that plain readout will remain unencrypted, and that the update will be rolled out through a cloud connection.
Both points are community interpretation from a forum, not confirmed manufacturer statements. If that turns out to be accurate, the vulnerable class of devices — radio-only units without Wi-Fi or cloud connectivity — would largely remain exposed, and distribution would depend on a connection many operators deliberately avoid. Hunz considers a robust short-term fix for the firmware problem unrealistic in any case; what’s needed, he argues, are digital signatures based on public-key cryptography and physical confirmation by the device owner before every update. The broadcast command can be removed in the short term; unauthenticated firmware uploads cannot.
What the case reveals about regulation
Notably, Hoymiles is not violating any current legal requirement with its unsigned over-the-air update. The EU Cyber Resilience Act (CRA), Europe’s law on the cybersecurity of connected products, has been in force since late 2024. But the reporting obligation for actively exploited vulnerabilities only takes effect in September 2026, and the binding requirement for security-by-design and updates across a product’s full lifetime doesn’t apply until December 2027. What Hunz demonstrated would be a legal violation from the end of 2027 onward — today, it sits in a grey zone.
What operators can do now
There is no complete fix available until new firmware arrives. Still, several steps make sense. Anyone running an original Hoymiles DTU should set an individual password immediately. This mainly prevents an attacker from setting their own password and locking the owner out; it does not, as things stand, protect against foreign firmware being installed. Anyone using OpenDTU or AhoyDTU can sharply increase the polling interval — to somewhere between 15 minutes and several hours — shrinking the attack surface. The only fully reliable measure remains disconnecting the solar panels from the inverter, since the device draws its own power from their direct current.
Conclusion
The Hoymiles case is not an argument against balcony solar, nor is it about the country of origin. It exposes a gap between existing law and strict enforcement: a mass-market product feeds power into the public grid without basic safeguards like signed updates — and that remains legal until the end of 2027. Whether the announced patch closes the actual vulnerability or mainly locks out open-source projects remains an open question. The case is becoming a test of whether the Cyber Resilience Act delivers on its promise.
According to the security researchers, the affected series are HM, HMS, and HMT without Wi-Fi, as well as identical devices sold under the brands E-Star, Solenso, and TSUN. You can check your own model through the manufacturer’s app or the label on the device. Newer devices with Wi-Fi and Bluetooth connectivity plus a password are, as far as is currently known, not vulnerable in the same way.
Anyone using an original Hoymiles DTU should set an individual password; this protects against being locked out, but not against foreign firmware being installed. With OpenDTU or AhoyDTU, sharply increasing the polling interval reduces the attack surface. The only fully reliable measure until new firmware arrives is disconnecting the solar panels from the inverter.
The security researcher was able to erase the bootloader on his own test device; afterward, the device could only be repaired by opening the housing and rewriting it via JTAG. This kind of permanent disabling is technically proven. Physical destruction through electrical overload, by contrast, appears in the report only as a theoretical possibility.
Hoymiles has announced an update, with September and mid-October both mentioned in different sources, so the timeline is unclear. No official security advisory from the manufacturer exists. It also remains open whether the update will reach radio-only devices without Wi-Fi or cloud connectivity.
The published investigation covers Hoymiles and its identical rebranded products E-Star, Solenso, and TSUN. For other manufacturers, such as Anker Solix, no comparable public finding regarding this radio vulnerability exists. That does not mean other systems are inherently secure — only that they were not part of this investigation.










