Security Vulnerability: Unauthorized Bluetooth Access to FoxESS H3-15.0-Smart Inverter

notashishk · Wed Apr 01, 2026 5:00 am

It has been observed that the FoxESS H3-15.0-Smart inverter allows unauthorized access via Bluetooth. Any nearby individual with the mobile app can connect to the inverter without proper authentication and modify critical settings such as network configuration. This presents a serious security risk, as malicious users could disrupt system operation.

Affected Device:
Model: H3-15.0-Smart
Firmware Version: master V1.39, Slave V1.00, ARM V1.24, data logger V2.09

Description:
Two separate installations of the same inverter model were tested (mine and my neighbor’s). From my mobile device, I was able to:

Discover the neighbor’s inverter via Bluetooth
Connect to the inverter without any authentication prompt
Access configuration settings
Change network (WiFi) settings

Additionally, during testing, I accidentally connected my neighbor’s inverter to my home WiFi network. This occurred without any ownership verification or confirmation step, further demonstrating the lack of access control and device isolation.

This indicates that Bluetooth access is either:
Not secured by default, or
Uses a shared/default credential that is not enforced or visible to users

Security Impact:
This vulnerability allows any person within Bluetooth range to:

Modify inverter configuration
Disconnect the inverter from its intended network
Redirect the inverter to a different network (as demonstrated)
Potentially disrupt power generation or monitoring
Cause denial of service by misconfiguring settings

In a real-world scenario, this could allow someone to intentionally shut down or interfere with a homeowner’s solar system without physical tampering.

Steps to Reproduce:

Install the FoxESS mobile application
Enable Bluetooth on the mobile device
Open the app near a target inverter
Scan for nearby devices
Select a discovered inverter (not owned by the user)
Observe that the connection is established without authentication
Attempt to modify settings such as WiFi configuration

Expected Behavior:
Bluetooth connections should require authentication (PIN/password)
Each inverter should have a unique credential (not shared/default)
Ownership verification should be required before allowing network changes
Unauthorized users should not be able to access or modify settings

Actual Behavior:
No authentication required for Bluetooth connection
Full access to configuration settings is granted upon connection
Network configuration can be changed without ownership verification

Suggested Fixes / Recommendations:

Enforce mandatory authentication for Bluetooth access (PIN or password)
Assign unique credentials per device (printed on unit or provided at setup)
Require ownership verification before allowing critical changes (e.g., WiFi setup)
Allow users to disable Bluetooth after initial configuration
Implement access control levels (read-only vs admin)
Add logging/alerts for unauthorized access attempts
Provide firmware update to address this vulnerability

Additional Notes:
This issue affects multiple units and is not isolated to a single installation, indicating a systemic design or firmware flaw. Given the potential impact on power systems, this should be treated as a high-priority security issue.

Conclusion:
Immediate action is recommended to secure Bluetooth access on FoxESS inverters. Without proper safeguards, this vulnerability exposes users to unauthorized control of critical infrastructure.