
Hoymiles Solar Inverter Fix Arrives Aug 30

Vulnerability confirmed: CCC finds unauthenticated OTA updates in Hoymiles HM series
The Chaos Computer Club (CCC) disclosed that Hoymiles HM‑series micro‑inverters can be accessed remotely without any authentication, allowing an attacker to change settings or shut the device down. The flaw affects only the discontinued HM line, which stopped production in August 2023, and it was detailed in the CCC’s public PDF report (https://www.ccc.de/system/uploads/382/original/hoymiles_dtu_vuln.pdf).
Hoymiles’ answer: a free firmware patch with AES‑128‑CBC encryption will be released on 30 August
Hoymiles says it activated an internal response team as soon as it learned of the issue and will ship a firmware update on 30 August 2024 at no cost to owners. The patch will encrypt OTA traffic with AES‑128‑CBC and will be validated against the EU RED EN 18031 cybersecurity standard before distribution (https://www.pv-magazine.com/2026/07/13/hoymiles-issues-response-after-security-vulnerability-identified-in-older-microinverters/). The company also notified Germany’s Federal Office for Information Security (BSI) about the plan (https://www.bsi.bund.de/EN/Home/home_node.html).
Why the flaw matters: unauthenticated OTA updates breach EU radio‑equipment rules
The CCC argued that any grid‑feeding device that accepts over‑the‑air firmware without authentication should not be sold in the EU, because it violates the Radio Equipment Directive (RED) security requirements (https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/). Without encryption, an attacker could remotely power the inverter off, alter its output, or even use it as a foothold to infiltrate a home network.
Industry context: similar inverter bugs have surfaced before
Recent coverage of inverter security incidents shows this is not an isolated case. Heise reported “inverter security nightmare” stories where compromised devices caused neighborhood‑wide outages (https://www.heise.de/en/news/Inverter-security-nightmare-Hoymiles-silences-neighborhoods-11357158.html), and Cybernews highlighted that the same vulnerability class has been found in other Chinese manufacturers (https://cybernews.com/security/china-solar-inverters-hack/). The trend underscores the growing importance of EN 18031 compliance for all connected PV gear.
Practical impact for homeowners and installers
- Immediate safety: Existing HM units will keep operating; owners do not need to disconnect or replace hardware.
- Update process: The firmware will be delivered over the internet and installed automatically; installers should verify the version after the 30 August rollout.
- Risk mitigation: Until the patch is applied, a malicious actor could shut a 10 kW system off for a day, costing roughly ₪22 (≈ 46 kWh × ₪0.48/kWh) in lost revenue for an Israeli homeowner.
What it means for Israel
Israel’s residential solar market typically sees a 10 kWp rooftop system generate about 17 000 kWh per year, worth ₪8 160 at the average residential tariff of ₪0.48 /kWh [Verified Israeli Solar Facts]. If a hacker exploited the unauthenticated OTA bug for just one day, the homeowner would lose roughly ₪22 in energy value – a small amount per incident but potentially larger if attacks are repeated or target commercial arrays (≈ ₪30 daily loss for a 15 kW system). The upcoming AES‑encrypted firmware therefore protects not only the grid’s stability but also the modest economic returns that Israeli solar owners rely on. Homeowners should schedule the update as soon as it is released and consider using micro‑inverters that already meet EN 18031 standards.
Outlook: stronger standards and faster patches are the new norm
The Hoymiles case illustrates how quickly a security flaw can spread across millions of small‑scale PV installations and how regulators (BSI, EU RED) are pushing manufacturers toward mandatory encryption. Industry analysts expect the EN 18031 requirement to become a baseline test for all new inverters by 2025 (https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/). For Israeli installers, this means checking certification labels (TÜV Rheinland, Dekra) and advising clients to keep firmware up‑to‑date – a simple step that safeguards both the grid and the homeowner’s pocket.
What it means for Israel
Using the typical Israeli figures (₪0.48/kWh tariff, 10 kWp system, 17 000 kWh/year output), a single day of inverter shutdown would erase about ₪22 of revenue. Over a year, repeated attacks could shave off several hundred shekels, eroding the ~₪8 160 annual return of a standard home system. The August 30 firmware, with AES‑128‑CBC encryption, eliminates that risk, preserving the economic case for rooftop solar and supporting Israel’s 30 % renewable electricity target for 2030.
Bottom line: Hoymiles will patch the HM‑series vulnerability on 30 August with a free, AES‑encrypted firmware update, restoring compliance with EU security standards and protecting Israeli solar owners from potential revenue loss.
Sources & further reading
- Public History of Solar Energy Cyberattacks and Vulnerabilities
- Hoymiles issues response after security vulnerability identified in...
- HMS-1000-2T not recognized following replacement by after-sales...
- Inverter security nightmare: Hoymiles silences neighborhoods
- Lee Felsenstein - The Osborne 1: Setting New Standards in Adequacy
FAQ
Which Hoymiles inverters are affected by the security flaw?
Only the HM‑series micro‑inverters that stopped production in August 2023 are vulnerable; newer Hoymiles models are not affected.
When will the firmware fix be available?
Hoymiles has scheduled the firmware update for 30 August 2024, and it will be provided free of charge.
What does the new firmware do?
It adds AES‑128‑CBC encryption to over‑the‑air updates and passes the EU RED EN 18031 cybersecurity assessment.
Do I need to disconnect my system before the update?
No, Hoymiles says all HM units continue to operate normally and can be updated remotely.
How could a hacker exploit the vulnerability?
Without authentication, an attacker could shut the inverter off, change its output settings, or use it as a gateway into a home network.
What is the financial impact for an Israeli homeowner if the inverter is hacked?
A one‑day shutdown of a typical 10 kWp system would cost about ₪22 in lost energy revenue (≈ 46 kWh × ₪0.48/kWh).
Share this post
More from Technology
6
Daikin Nexio Max Heat Pump Slashes Energy Use
Daikin’s Nexio Max rooftop heat pump, available in 7.5‑10 ton sizes, achieves up to 3.85 COP and can operate down to –25 °C, offering Israeli commercial buildings a low‑carbon heating option when combined with solar PV.

Geothermal Hydrogen Hits $1.75/kg in Iceland
Syntholene’s Icelandic pilot shows geothermal‑integrated SOEC can produce hydrogen at $1.75‑$2.10 /kg, about one‑third the cost of European green hydrogen.

China’s TCL Shifts 45 GW to Back‑Contact Solar
TCL Zhonghuan will convert 45 GW of TOPCon capacity into back‑contact production by early 2027, launching 680 W, 25.2 % efficient modules that could improve Israeli rooftop solar paybacks.

Solar Light Empowers Women Across Africa
אור שמש משפר מיידית בטיחות, בריאות והכנסה בכפרים אפריקאיים ללא רשת, ונשים מובילות מרבות את ההשפעה.

Inside Israel’s ‘Eye of Sauron’ Solar Tower
Israel’s ‘Eye of Sauron’ is the 240‑metre solar‑thermal tower at the Ashalim Power Station, delivering a sizable amount of clean, dispatchable electricity and helping the country meet its 2030 renewable target.

Hands‑On Solar Lab Trains the Next Generation
Lancaster County’s vocational school now runs a rebuildable 6.4 kW off‑grid solar‑plus‑storage lab, funded by state grants and using a DIY‑friendly EG4 6000XP inverter to give students hands‑on experience.