- Notifications
You must be signed in to change notification settings - Fork0
Firewall rules to limit attack surface of LuxPower/EG4 solar inverters
License
jsharkey/lxp-firewall
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This is a collection of Linuxnftables firewall rules that perform deep packet inspection to limit the external attack surface of these popular solar hybrid inverters:
- EG4 18kPV-12LV
- EG4 12000XP
- LuxPower LXP-LB-EU 12K
See below for background information and examples of how to deploy these rules.
Warning
These firewall rules prevent remotely modifying any inverter settings from the cloud or app, meaning you’ll need to modify them in-person at the physical inverter LCD, or temporarily lift these rules. There is a narrow allowance that allows remotely modifying the date/time to adjust for clock drift and applying DST changes.
This assumes you're running an OpenWrt 22.03+ based router, which is after they migrated to annftables based firewall.
Gain SSH access to your OpenWrt router.
Copy the
10-lxp.nftfile to/etc/nftables.d/10-lxp.nfton the router, possibly using a command like this:
scp -O ~/Downloads/10-lxp.nft root@192.168.1.1:/etc/nftables.d/10-lxp.nft
Reload your firewall rules using
/etc/init.d/firewall reloador by rebooting.Block suspicious DNS domains locally using
dnsmasqrules in/etc/config/dhcp, or adding them to a NextDNS denylist:
list server '/.fogcloud.io/'
- Reload your DNS rules using
/etc/init.d/dnsmasq reloador by rebooting.
I’ve been working with an EG4 18kPV-12LV hybrid inverter, and was curious about how its cloud monitoring system was designed. To my surprise, there isno encryption whatsoever, and raw RS485 MODBUS commands are being sent directly across the public internet. 😲
This means a MITM attacker has trivial control over sensitive inverter parameters, such as battery thresholds and grid-interactive features. As just one example, the parameters used for IEEE 1547 interaction could be misconfigured as part of a larger effort to destabilize the grid. Finally, the entire inverter firmware appears to be updatable via this route, possibly opening up an even wider attack surface area beyond just the documented MODBUS parameters. 😲
There wererecent rumors of solar inverters being attacked remotely, but they appear to have been dispelled after investigators followed-up. Regardless, it remains prudent to reduce the external attack surface of these devices, as they are often connected to potent energy storage systems.
One way to mitigate this would be to completely disconnect the inverter from the Internet, but that would mean having to roll our own local monitoring.Efforts have been made by others to build this out, but they require additional local hardware and can be complex to configure and manage.
As an alternative, we can use the raw plaintext protocol to our advantage and write a handful of deep packet inspection (DPI) firewall rules that allow a handful of vetted innocent requests through, while blocking all other mutation requests or otherwise undocumented features. This lets us leverage the existing cloud monitoring infrastructure and inverter as-is with no extra hardware requirements.
Additionally, there are some suspicious DNS requests emanating hourly from the MiCO IoTOS formac.fogcloud.io andalimac.fogcloud.io. They don't currently resolve, which means if they become active in the future they could unlock dormant behavior, so they should be blocked using using localdnsmasq rules or a NextDNS denylist.
Using extensive local packet captures I wrotetests.py to confirm that thenftables rules are allowing or blocking commonly observed packet flows.
When attempting to modify settings in the cloud or app I now get "Timeout" or "Unknown error" messages, and then it takes a few minutes for RS485 tunnel to be reestablished and automatic statistics to begin flowing again.