Security researcher Fred Bret-Mounet found vulnerabilities affecting the management unit (MMU) on his home's solar array, a device that monitors solar panels over the internet. According to a Forbes report, Bret-Mounet discovered an open Wi-Fi access point in the Tigo Energy TSR-4 retrofit that allowed anyone within range of the Wi-Fi connection to connect to the solar array.
He found that the device sent unencrypted personal information over an HTTP connection. Bret-Mounet was able to use a brute force attack to guess the default username and password required by the server.
He told Forbes that he then could have made configuration changes to other users' panels that could have been exploited to shut down their solar power.
When notified of the flaws, Tigo Energy told Bret-Mounet he had mistakenly been sent a development device. Approximately 1,000 other customers received the same device, the solar energy equipment company said.