James Showalter describes a pretty specific, if not completely unlikely nightmare scenario. Someone drives your home, breaks the Wi-Fi password and then begins to confuse the solar converter placed next to your garage-this unobtrusive gray box that converts the immediate stream from the panels of the top floor on your alternate stream.
“You have to have a solar stalker” to play this scenario, says the showalter, describing the kind of person who should naturally appear on your way with both technical know -how and motivation to lose the energy system in your home.
Showalter, its chief executive EG4 ElectronicsA company based in Sulfur Springs, Texas, does not particularly consider this sequence of events. Still, this is why his company last week was in the spotlight when Cybersecurity’s CISA service Published consulting Security vulnerability details of EG4 solar converters. The defects, as Cisa noted, could allow an invader to access the same network as an influenced converter and its serial number for data tracking, install malicious firmware or understand control of the entire system.
For the about 55,000 customers with the EG4 Inverter model, the episode probably felt like a worrying introduction to a device that does not understand little. What they are learning is that modern solar inverters are no longer mere power inverters. They now serve as the backbone of energy facilities at home, watched the performance, communicating with utilities and, when excessive power, supplying it back to the network.
Many of them happened without people observing. “No one knew what the solar inverter was five years ago,” observes Justin Pascale, a main adviser to Dragos, a cyberspace company specializing in industrial systems. “Now we’re talking about it at national and international level.”
Safety deficiencies and customer complaints
Some of the numbers emphasize the extent to which individual houses in the US become tiny power stations. According to US Energy Information Administration, small-scale solar installations-mostly inhabited-increased More than five times Between 2014 and 2022. What was once the province of climate supporters and the first adopted became more common due to the decline of costs, government incentives and increasing awareness of climate change.
Each solar installation adds another node to an expanding network of interconnected devices, each who contributes to energy independence, but also to become a potential entry point for someone with malicious intent.
TechCrunch event
Francisco
|
27-29 October 2025
When pressed on his company’s security standards, Showalter recognizes his weaknesses, but also diverts. “This is not an eg4 problem,” he says. “This is a problem throughout the industry.” Over a zoom call and later, to this author’s inbox, produced a 14 -page report Flood 88 Solar Energy vulnerability notifications in commercial and residential applications since 2019.
Not all of its customers – some of whom Got on Reddit To protest – they are sympathetic, especially as CISA’s counseling revealed fundamental design defects: Communication between follow -up and converter applications appeared in non -encrypted simple text, firmware updates that had no integrity controls and elementary controls.
“These were fundamental security,” says one company customer who asked to speak anonymously. “Adding an injury to injury,” this person continues, “EG4 didn’t even bother to alert me or offer proposed measurements.”
Asked why EG4 did not immediately alert customers when Cisa arrived at the company, Showalter calls it a moment “alive and learning”.
‘Because we are so close [to addressing CISA’s concerns] And it’s such a positive relationship with Cisa, we were going to get the “project” button and then advise people, so we’re not in the middle of the cake that is baked, “the showalter says.
TechCrunch arrived at Cisa earlier this week for more information. The organization has not answered. In his advice on EG4, CISA states that “no well -known public exploitation specifically aimed at these vulnerabilities has been mentioned in CISA at the moment”.
Connections with China cause security concerns
While not related, the timetable of the EG4 public relations crisis coincides with wider concerns about the safety of the supply chain of renewable energy equipment.
Earlier this year, US energy officials began re -evaluating the dangers created by devices made in China after discovering unexplained communication equipment within some converters and batteries. According to Reuters surveyCell radios without paper and other communication devices were found in equipment by many Chinese suppliers – accessories that had not appeared on official material lists.
This reported discovery bears a certain weight, given China’s sovereignty in solar production. Reuters’s same story noted that Huawei is the largest supplier in the world, representing 29% of missions worldwide in 2022, followed by Chinese classmates Sungrow and Ginlong Solis. Some 200 GW of European solar energy capacity It is associated with converters manufactured in China, which is about equivalent to more than 200 nuclear stations.
The geopolitical consequences have not escaped the notice. Lithuania passed a law Excluding remote Chinese access to solar, wind and battery installations over 100 kW, effectively limiting the use of Chinese converters. Showalter says his company responds to customer concerns, starting to move away from Chinese suppliers and to components made by companies elsewhere, including Germany.
However, the vulnerabilities described in the EG4 systems raise questions that extend beyond the practices of the single company or where its ingredients go. The US Standard Service NIST warns That “if you control a fairly large number of solar home converters and you are doing something bad, this could have a devastating impact on the network for a prolonged period of time.”
The good news (if any) is that while theoretically possible, this scenario faces many practical restrictions.
Pascale, who works with utility -scale solar facilities, notes that household inverters mainly serve two functions: converting power from directly to alternating current and facilitating the connection back to the network. A mass attack would at the same time require the huge number of individual houses. (These attacks are not impossible, but they are more likely to entail the targeting of the manufacturers themselves, some of whom have remote access to their customers’ solar converters, proved by security researchers last year.)
The regulatory framework governing the larger facilities is now not expanding to residential systems. The Standards of Critical Infrastructure of North America Electric Reliability power Only in larger facilities that produce 75 megawatts or more, such as solar farms.
Because housing facilities fall so much below these thresholds, they operate in a regulatory gray zone where cyberspace standards remain proposals rather than demands.
But the end result is that the safety of thousands of small facilities depends largely on the discretion of individual manufacturers operating in a regulatory gap.
On the issue of non -encrypted data transmission, for example, which is one reason that EG4 has received that the CISA slap, Pascale notes that in functional utility environments, simple text transmission is common and sometimes encouraged for network monitoring purposes.
“When you look at encryption in a business environment, it is not allowed,” he explains. “But when you look at a business environment, most things are transmitted to simple text.”
In another way, real concern is not an immediate threat to individual homeowners. Instead it is linked to the total vulnerability of a rapidly growing network. As the energy grid is increasingly distributed, with the power flowing from millions of small sources and not dozens of large, the attack surface is expanding. Each inverter represents a potential pressure point in a system that was never designed to accommodate this level of complexity.
Showalter has embraced CISA’s intervention as what he calls “upgrade of trust” – an opportunity to differentiate his company in a full market. He says that since June, the EG4 has worked with the organization to cope with the defined vulnerabilities, reducing an initial list of 10 concerns in three remaining elements that the company expects to resolve by October. The process included updating the firmware transmission protocols, the application of identity verification for technical support calls and the redesign of authentication processes.
But for those who like an anonymous EG4 client who spoke with frustration about the company’s response, the episode highlights the strange position that solar adoptors are.
