Hoymiles Solar Inverter Fix Arrives Aug 30

By Daniel IliyaguevJuly 13, 20264 min readIn category: Technology
solar inverter
Source: ARTURO AÑEZ. / PEXELSImage for illustration only
AI-generated summary of the articleHow we report
Want the full picture? Read our complete guide: Technology

Vulnerability confirmed: CCC finds unauthenticated OTA updates in Hoymiles HM series

The Chaos Computer Club (CCC) disclosed that Hoymiles HM‑series micro‑inverters can be accessed remotely without any authentication, allowing an attacker to change settings or shut the device down. The flaw affects only the discontinued HM line, which stopped production in August 2023, and it was detailed in the CCC’s public PDF report (https://www.ccc.de/system/uploads/382/original/hoymiles_dtu_vuln.pdf).

Hoymiles’ answer: a free firmware patch with AES‑128‑CBC encryption will be released on 30 August

Hoymiles says it activated an internal response team as soon as it learned of the issue and will ship a firmware update on 30 August 2024 at no cost to owners. The patch will encrypt OTA traffic with AES‑128‑CBC and will be validated against the EU RED EN 18031 cybersecurity standard before distribution (https://www.pv-magazine.com/2026/07/13/hoymiles-issues-response-after-security-vulnerability-identified-in-older-microinverters/). The company also notified Germany’s Federal Office for Information Security (BSI) about the plan (https://www.bsi.bund.de/EN/Home/home_node.html).

Why the flaw matters: unauthenticated OTA updates breach EU radio‑equipment rules

The CCC argued that any grid‑feeding device that accepts over‑the‑air firmware without authentication should not be sold in the EU, because it violates the Radio Equipment Directive (RED) security requirements (https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/). Without encryption, an attacker could remotely power the inverter off, alter its output, or even use it as a foothold to infiltrate a home network.

Industry context: similar inverter bugs have surfaced before

Recent coverage of inverter security incidents shows this is not an isolated case. Heise reported “inverter security nightmare” stories where compromised devices caused neighborhood‑wide outages (https://www.heise.de/en/news/Inverter-security-nightmare-Hoymiles-silences-neighborhoods-11357158.html), and Cybernews highlighted that the same vulnerability class has been found in other Chinese manufacturers (https://cybernews.com/security/china-solar-inverters-hack/). The trend underscores the growing importance of EN 18031 compliance for all connected PV gear.

Practical impact for homeowners and installers

  • Immediate safety: Existing HM units will keep operating; owners do not need to disconnect or replace hardware.
  • Update process: The firmware will be delivered over the internet and installed automatically; installers should verify the version after the 30 August rollout.
  • Risk mitigation: Until the patch is applied, a malicious actor could shut a 10 kW system off for a day, costing roughly ₪22 (≈ 46 kWh × ₪0.48/kWh) in lost revenue for an Israeli homeowner.

What it means for Israel

Israel’s residential solar market typically sees a 10 kWp rooftop system generate about 17 000 kWh per year, worth ₪8 160 at the average residential tariff of ₪0.48 /kWh [Verified Israeli Solar Facts]. If a hacker exploited the unauthenticated OTA bug for just one day, the homeowner would lose roughly ₪22 in energy value – a small amount per incident but potentially larger if attacks are repeated or target commercial arrays (≈ ₪30 daily loss for a 15 kW system). The upcoming AES‑encrypted firmware therefore protects not only the grid’s stability but also the modest economic returns that Israeli solar owners rely on. Homeowners should schedule the update as soon as it is released and consider using micro‑inverters that already meet EN 18031 standards.

Outlook: stronger standards and faster patches are the new norm

The Hoymiles case illustrates how quickly a security flaw can spread across millions of small‑scale PV installations and how regulators (BSI, EU RED) are pushing manufacturers toward mandatory encryption. Industry analysts expect the EN 18031 requirement to become a baseline test for all new inverters by 2025 (https://bsg.tech/blog/eu-radio-equipment-cybersecurity-red-en-18031-compliance-2025/). For Israeli installers, this means checking certification labels (TÜV Rheinland, Dekra) and advising clients to keep firmware up‑to‑date – a simple step that safeguards both the grid and the homeowner’s pocket.


What it means for Israel

Using the typical Israeli figures (₪0.48/kWh tariff, 10 kWp system, 17 000 kWh/year output), a single day of inverter shutdown would erase about ₪22 of revenue. Over a year, repeated attacks could shave off several hundred shekels, eroding the ~₪8 160 annual return of a standard home system. The August 30 firmware, with AES‑128‑CBC encryption, eliminates that risk, preserving the economic case for rooftop solar and supporting Israel’s 30 % renewable electricity target for 2030.


Bottom line: Hoymiles will patch the HM‑series vulnerability on 30 August with a free, AES‑encrypted firmware update, restoring compliance with EU security standards and protecting Israeli solar owners from potential revenue loss.

Sources & further reading

FAQ

Which Hoymiles inverters are affected by the security flaw?

Only the HM‑series micro‑inverters that stopped production in August 2023 are vulnerable; newer Hoymiles models are not affected.

When will the firmware fix be available?

Hoymiles has scheduled the firmware update for 30 August 2024, and it will be provided free of charge.

What does the new firmware do?

It adds AES‑128‑CBC encryption to over‑the‑air updates and passes the EU RED EN 18031 cybersecurity assessment.

Do I need to disconnect my system before the update?

No, Hoymiles says all HM units continue to operate normally and can be updated remotely.

How could a hacker exploit the vulnerability?

Without authentication, an attacker could shut the inverter off, change its output settings, or use it as a gateway into a home network.

What is the financial impact for an Israeli homeowner if the inverter is hacked?

A one‑day shutdown of a typical 10 kWp system would cost about ₪22 in lost energy revenue (≈ 46 kWh × ₪0.48/kWh).

Share this post

More from Technology

6
Aerial view of a commercial building rooftop covered with solar panels
TTechnology

Daikin Nexio Max Heat Pump Slashes Energy Use

Daikin’s Nexio Max rooftop heat pump, available in 7.5‑10 ton sizes, achieves up to 3.85 COP and can operate down to –25 °C, offering Israeli commercial buildings a low‑carbon heating option when combined with solar PV.

4 min read
solar tower Israel
TTechnology

Inside Israel’s ‘Eye of Sauron’ Solar Tower

Israel’s ‘Eye of Sauron’ is the 240‑metre solar‑thermal tower at the Ashalim Power Station, delivering a sizable amount of clean, dispatchable electricity and helping the country meet its 2030 renewable target.

4 min read
solar training
TTechnology

Hands‑On Solar Lab Trains the Next Generation

Lancaster County’s vocational school now runs a rebuildable 6.4 kW off‑grid solar‑plus‑storage lab, funded by state grants and using a DIY‑friendly EG4 6000XP inverter to give students hands‑on experience.

3 min read
Get in touch

Have a question or a project?

Send us a message — about solar, a story tip, advertising or anything else. We'll get back to you.

We'll only use your details to reply.