Deye deactivates solar inverters in USA, UK and Pakistan

[German]This is a critical issue that I have come across recently and illustrates the risk of IT shutdowns by vendors/manufacturers or countries. The Chinese manufacturer Deye, also represented in German balcony power plants and solar system installations with inverters, has switched off such devices in the USA, Great Britain, Pakistan and several other countries as of November 15, 2024. The solar systems are dead!

Cyber risks with solar inverters

I have mentioned the cyber security risks associated with solar power systems several times in my German blog. In general terms, the German article Cybersecurity: Die Risiken bei Photovoltaik-Solaranlagen warns of vulnerabilities in solar power systems.

My German article Deye-Wechselrichter: Schwachstellen und Zugriff des Anbieters auf das Netzwerk deals with technical issues with Deye inverters for balcony solar panels (a big thing in Germany). Inverters for balcony solar panel systems delivered in Germany  by Deye were not standard-compliant and had to be retrofitted for security regualation purposes with a relay box. However, there was a problem with the installing this relay box.

Deye SUN600G3 module inverter for balcony solar panel units

The conclusion at the time was that the manufacturer Deye has access to the inverters and can change them. I did not make this up out of thin air, but Deye indirectly confirmed this to me as an aid for users with the following instructions:

Please have your inverter online so that Deye can perform remote diagnostics.

I wrote in the blog post "This was the first (unsurprising but) official confirmation that the manufacturer Deye can access the inverters via the cloud connection and manipulate their firmware and the parameters stored there (see also this German comment by Karsten H.). It is also possible to shut down the inverter. In this German comment, blog reader Norddeutsch pointed out various security aspects of the Deye solution."

Long story short: Attackers and manufacturers can switch off the inverters (not only from Deye) via the Internet (see also my article links at the end of the article). Nobody really wanted to know. Now the scenario has become reality.

Inverter switched off on 15. November 2024

It has already come to my attention these days, a comment from Norddeutsch in the discussion area reminded me that I should report on it. The facts are illustrated by the following image in this BlueSky tweet.

In the above tweet, solarboi.com links to the postSol-Ark manufacturer reportedly disables all Deye inverters in the US from November 17, 2024. The message is that all Deye inverters sold by Sol-Ark as a supplier in the USA have been switched off.

Addendum: Derek from solarboi.com has sent me a correction or clarification. The statement is that no Sol-Ark inverters are affected by the shutdown. There is also no indication that Deye can shut down Sol-Ark inverters. Sol-Ark could probably shut down Sol-Ark brand inverters if they are connected to the internet, but not Deye.

However, the photo shows that the inverters are not permitted in Pakistan, the USA and the UK and have therefore been switched off. A contact is given for each country, which those affected should contact.

On dy-support.org there is also this German entry by an affected person from Costa Rica, which contains some more information. A discussion can also be found on reddit.com..

Legal disputes reason for shutdown?

It is important to know that Sol-Ark is a supplier of battery storage systems and inverters for solar installations. Sol-Ark is also represented in Germany. From the article on solarboi.com, I read that Deye is the contract manufacturer of Sol-Ark hybrid inverters. Furthermore, Sol-Ark has had the exclusive right to sell the inverters in the USA since 2018. This is probably based on court documents filed in legal disputes.

The explanation given is that Deye brand inverters were sold by several companies for installation in the USA. This constituted a breach of Sol-Ark's exclusivity agreement with Deye. As a result, Sol-Ark asserted its contractual rights to exclusive distribution in court.

Problem: Other countries are affected

The photo above already shows that not only the USA is affected by the deactivation of the inverters. Suppliers are also named for Pakistan and Great Britain, which those affected should contact.

The article on solarboi.com mentions that a Sol-Ark supporter has also received calls from affected people in Canada. There are these forum posts where this shutdown from Canada is confirmed. However, deactivated inverters have also been reported from Puerto Rico and Panama.

The statement from Sol-Ark

A statement from Sol-Ark, posted online at solarboi.com, says that the company learned of the inverter shutdown, which resulted from the unauthorized sale of Deye brand inverters in Puerto Rico and the US.

The way I read the statement, Deye initiated the shutdown of the inverters that did not come through Sol-Arc (or its resellers) via the Internet. Only Deye inverters that are not connected to the Internet will continue to work.

In the statement, Sol-Arc complains that the message shown on the screen (see photo from the above tweet) suggests that Sol-Arc acts as the contact for support for inverters not supplied by the company. However, Sol-Ark is said to have no control over the "actions of Deye", who are believed to have carried out the shutdown of the non-Sol-Ark Deye inverters.

In the statement, Sol-Arc offers end users the purchase of equivalent inverters at a reduced price from November 15, 2024 to December 31, 2024.

The fall from grace has occurred

I pointed out at the beginning that there was a risk that the inverters from Deye (or other providers) could be manipulated remotely from China or by attackers. It was kind of smiled away, unless I misinterpreted it. There are also large installations in Germany with inverters from Deye.

Now the case that was always warned about (including by me) has simply materialized. In a statement, Sol-Ark's head of marketing did say that Sol-Ark inverters are managed, updated and maintained via Sol-Ark's own MySolArk platform. This ensures the security and data protection of Sol-Ark customers. The data obtained via the platform would be processed and maintained by Sol-Ark in the USA and used exclusively in accordance with Sol-Ark's data protection guidelines.

Now the above incident shows that the manufacturer Deye can bypass the beautiful Sol-Ark platform and access the inverters via the Internet. All it takes is a few commands, and poof, the beautiful solar system is ruined. German blog reader Norddeutsch wrote in a comment:

The background seems to be distribution rights and licenses. Sol-Ark inverters are partly manufactured by Deye, with exclusive distribution for one region (USA). However, there are also standard Deye products, i.e. Deye labeled as Deye. These seem to be affected. Just raises questions, especially the wording "allowed use at …USA…".

I see at least in the display message an absolutely unclean separation between distribution and operation, thinking further, legal re-imports or second-hand purchases might also be affected if you operate imported Deye in a prohibited region. Collateral damage can also be found via the above link – the identification appears to be flawed: There are affected people even far away in Panama who use a dye dongle for connectivity.

My technical assumption: Deye generates the shutdown signal based on serial numbers, sales lists and its own databases (exactly the connectivity to Deye Cloud that we criticized here the other day …without further ado).

Let me put it more bluntly: the above comment unfortunately does not reflect the situation at all! What is beef? Deye and other manufacturers can – if devices are accessible via the Internet – deactivate them via the firmware if necessary.