James Schoruter explains a fairly specific scenario, if not a completely incredible nightmare scenario. Someone drives to your home, cracks your Wi-Fi password, then starts messing around with the solar inverter mounted next to your garage – a modest grey box that converts currents directly from your rooftop panel to alternating currents that run your home.
“We need solar stalkers” for this scenario to unfold, Showalter says. It describes people who need to physically manifest themselves in their driveways, both with technical know-how and motivation to hack home energy systems.
Showalter, CEO of EG4 Electronics, a Sulphur Springs, Texas-based company, doesn’t consider the series of events particularly likely. Still, this is why his company lit the spotlight last week when US cybersecurity agency CISA published an advisory detailing security vulnerabilities in EG4’s solar inverter. According to the CISA, the defect can intercept attackers and their serial numbers that have access to the same network as the affected inverter, intercept data, install malicious firmware, and seize control over the entire system.
For the roughly 55,000 customers who own EG4-influenced inverter models, this episode probably felt like a disturbing introduction to a device they barely understand. What they are learning is that modern solar inverters are no longer simple power converters. Now they are now acting as a backbone that comes home energy installation, monitoring performance, communication with utility companies, and returning to the grid when there is excess power.
A lot of this happened without people realising it. “No one knew what solar inverters were doing five years ago,” said Justin Pascare, a leading consultant at Dragos, a cybersecurity company specializing in industrial systems. “We’re talking about it at the national and international level now.”
Security shortcomings and customer complaints
Some numbers highlight the extent to which individual US homes become miniature power plants. Smaller solar power generation (mainly homes) increased more than five times between 2014 and 2022, according to the U.S. Energy Information Administration.
Each solar installation adds another node to the growing network of interconnected devices, each of which contributes to energy independence, and also becomes a potential entry point for those with malicious intent.
TechCrunch Events
San Francisco
|
October 27th-29th, 2025
When pressed for his company’s security standards, Showalter admits its shortcomings, but he deflects it too. “This is not an EG4 issue,” he says. “This is an industry-wide issue.” On the Zoom Call, and then in this editor’s inbox, he produced a 14-page report cataloging disclosures of 88 solar energy vulnerabilities across commercial and residential applications since 2019.
Especially given that CISA advisory revealed basic design flaws, all his customers (who went to Reddit to complain to Reddit) are not sympathetic given that there is communication between inverters that occurred in plain text that was unencrypted, lack of integrity checks, and communication between basic authentication procedures.
“These were basic security revocations,” says a customer at the company who asked to speak anonymously. “It adds humiliation to an injury,” the individual continues.
When asked why EG4 didn’t immediately warn customers when CISA contacted the company, Showalter calls it a “live and learning” moment.
“We’re so close [to addressing CISA’s concerns] And that’s a very positive relationship with CISA, and we were trying to advise people after we reached the “Done” button, so we’re not in the middle of the cake being baked,” Showalter says.
TechCrunch contacted the CISA earlier this week to find out more. The agency has not responded. In its EG4 advisory, CISA stated that “public exploitation targeting these vulnerabilities has not been reported to CISA at this time.”
ties with China raise security concerns
Unrelated, the timing of the EG4 public relations crisis coincides with broader uneases about the security of the renewable energy equipment supply chain.
Earlier this year, US energy officials reportedly began reassessing the risks posed by devices made in China after discovering several inverters and communications equipment of unknown cause in batteries. Undocumented cellular radio and other communication devices were found on equipment from multiple Chinese suppliers, according to a Reuters investigation. This is a component that did not appear on the official hardware list.
This reported finding has particular weight given China’s domination in solar generation. That same Reuters story pointed out that Huawei is the world’s largest supplier of inverters, accounting for 29% of cargo worldwide in 2022, followed by fellow Chinese Sungrow and Ginlong Solis. European solar capacity of approximately 200 GW is associated with inverters made in China. This corresponds to over 200 nuclear power plants.
The geopolitical meaning is not spared notification. Last year, Lithuania passed a law blocking remote access to solar, wind and battery installations over 100 kilowatts, effectively restricting the use of Chinese inverters. Showalter said his company has been responding to customer concerns as it has started moving from Chinese suppliers, including Germany, towards components created by other companies.
However, the vulnerabilities CISA described in the EG4 system raises questions that extend beyond the practices of a single company or the procurement of components. The US standards agency NIST warns that “if you control enough home solar inverters remotely and do something creepy at once, it can have devastating significance to the grid for a long period of time.”
The good news (if any) is that although it is theoretically possible, this scenario faces many practical limitations.
It should be noted that Pascale, which works in utility-scale solar installations, offers two main features by residential inverters. Mass attacks require the explosive number of individual homes to be breached simultaneously. (Though these attacks are not impossible, some of them have remote access to their customers’ solar inverters, as proven by security researchers last year.)
The regulatory framework to manage large installations currently does not extend to residential systems. The North American Electric Reliability Corporation’s key infrastructure protection standards currently apply only to large facilities that produce more than 75 megawatts, such as solar farms.
Residential facilities go far below these thresholds and operate in a regulatory grey zone where cybersecurity standards remain proposals rather than requirements.
However, the end result is that the security of thousands of small installations is heavily dependent on the discretion of individual manufacturers operating in a regulated vacuum.
For example, regarding the issue of unencrypted data transmission, for one reason why EG4 was handed over from CISA, Pascale points out that simple text transmission is common in utility-scale production environments and can be encouraged for network monitoring.
“When you see encryption in an enterprise environment, that’s not allowed,” he explains. “But looking at the production environment, most things are sent in plain text.”
Put another way, the real concern is not an immediate threat to individual homeowners. Instead, it is tied to the overall vulnerability of the rapidly expanding network. As the energy grid becomes more and more distributed, the attack surface expands exponentially as power flows from millions of small sources rather than dozens of large sources. Each inverter represents a potential pressure point for a system that is not designed to accommodate this level of complexity.
Showalter accepts CISA intervention as what he calls “a trust upgrade.” This is an opportunity to distinguish his company in a busy market. He says that EG4 has been working with agents to address identified vulnerabilities since June, and by October it reduced the first list of 10 concerns to the remaining three items. This process includes updating the firmware transmission protocol, implementing additional identity verification for technical support calls, and redesigning the authentication procedure.
But for people like an anonymous EG4 customer who spoke in disgruntled about the company’s response, the episode underscores the strange position that solar employers find themselves. They bought what they understood as a climate-friendly technology.
Source link
