Scott reverse-engineered the encrypted protocol GoodWe smart meters and solar inverters use to send metrics to the cloud.

The result of my lucky dip was a GoodWe DNS G3 Inverter and a GoodWe HomeKit 1000 Smart Meter. These devices look quite slick, and so does the website. They are also popular here in Australia, so my hopes were high that it would be easy to set up local monitoring, because surely someone else had figured out how to do it.

So Scott went about hacking the system to obtain metrics on energy use locally and see how bad the security is on this “cloud-only based system”. What was found:

• Telnet left on in a production firmware image, with credentials admin:admin.
• nmap can crash the device hard enough to factory reset.
• Packets sent over TCP with identifying data (serial number) in the clear.
• The metrics seem to be poorly encrypted (identical section of ciphertext in consecutive frames).
• Unauthenticated configuration protocol.
• A web UI that looks like it was hacked together in an afternoon. Inspecting the source shows lots of commented out HTML blocks.

And it looks like their AES encryption key is 16 bytes of 0xff!

Check out the very thorough analysis in the post here.