No security updates needed if the device isn't connected to the internet in the first place!

If opting out of security updates for your dishwasher is bad, then your dishwasher is shit.

Yeah, but what if a “security update” breaks functionality?

None of the IoT devices we own have had an update that fixes a user facing bug, but most have had critical updates that break existing functionality.

Only if this actually gets treated as an attack though, which I haven't seen happen in similar cases in the past.

Sony BMG with the hidden DRM rootkit malware on their music CDs got some civil penalties but no criminal prosecution. Sony with the Playstation OtherOS removal had to pay a ridiculously low class action, no criminal prosecution. Lenovo got a slap on the wrist for putting an adware firmware bootkit into the machines, again civil only.

A lot of companies are still getting away with exfiltrating memory dumps by default as part of their error reporting, selling your location data, etc.

The only criminal prosecution (as in "butt in jail") for similar behavior that I'm aware of is Volkswagen's Dieselgate, and that was only prosecuted because it was seen as screwing over the US government, not consumers.

> The biggest takeaway here should be that we need a domestic solar industry. We can't hold Deye or Chinese companies culpable.

No, the takeaway is to not allow corps to have remote access to end-user owned devices in the first place.

This story of perfectly capable devices being bricked or having servers shut off has been told so many times with domestic (or friendly countries) companies it's laughable that the conclusion is 'do the same thing but onshore'.

There are US manufacturers. I have a Tesla PW3 made in the U.S. and it includes solar charge controllers, batteries and inverter.

Pretty competitive too.

That would require foresight, investment, subsidies, and good policy.

(looks at election results)

Ok, tariffs. I guess tariffs are the new invisible hand.

And really, what we're talking here isn't domestic manufacturing. It's probably Mexican manufacturing.

Deye manufactured vs the units for OEM use different components - they build to spec.

Only if that attack surface doesn't include employees, household members, contractors, shared spaces, etc. That is, a small business may be fairly safe if they're no cohabiting. A corporation probably isn't.

In this case the manufacturer was the one that triggered it. Even if it weren’t, how secure their servers are, or which foreign legislation they are subject to is a total unknown.

Why do people insist on having remote telemetry from these kinds of appliances?

I have inverter of different brand and also had concern to allow it internet connection, so i ended with pi zero connected to it’s internal wifi with socat port gateway, a route on router to simulate it’s internal network and it’s app works thinking it is connected locally to device, even over vpn back to home.

FWIW, the Sol-ark's (and presumably the Deye's) support getting telemetry via local RS-485.

I could use the device’s buttons and LCD to get some stuff, but I generally don’t bother. Maybe if I plugged it into the network and disallowed internet communication, I could poke around to see if there is a way, but I have not felt motivated to try.

That's one way to frame it. Another is Sol-ark incurs costs of developing, marketing and supporting their official devices and the contract manufacturer is able to sell their own version in the Chinese market. Greedy people who don't want to pay Sol-ark for all the costs they incurred bought grey market devices that Sol-ark has repeatedly warned are in contract violation in this market. The manufacturer, not Sol-ark, has now bricked those devices, and people are blaming Sol-ark anyway because they want to continue to justify their actions.

I would expect a vigorous effort to reverse engineer Solark's firmware to spin up, assuming it hasn't already.

That’s laughably wrong. Exclusive distribution rights are probably enforced more strictly in the U.S. than anywhere else in the world. They are governed by contract law. In addition, many product categories need to be demonstrated as safe to the right licensing agencies before being sold, not after.

Two possibilities come to mind:

1. They're not properly licensed for other markets. Something equivalent to selling a radio transmitter in the US that's not registered with the FCC.

2. They price units outside of Asian markets much higher and don't want to allow/encourage arbitrage that they don't control.

This is definitely a case of "porqué no los dos" (or more).

Different countries have different laws and requirements around grid-connected inverters, mostly so people working on the grid don't get electrocuted when a stray inverter keeps feeding in power.

Highly recommend using solarassistant for this, instead - local server software that install on a raspi, and you hook a usb on the raspi to the WiFi dongle port on your inverter with a serial cable. Don’t provide the inverter itself with any wifi credentials.

Solar assistant has the bonus of interfacing your inverter with homeassistant, and letting it control the inverter/get signals from it (so you can do things like, if grid voltage drops to zero, do xyz)

What would be a good method for keeping the IoT Thing from talking to a machine beyond my locally administered network?

Solar installations are expensive enough that some manufacturers can probably afford to integrate a cellular modem into the product (similar to how all new cars do it today). Good luck changing the Wi-Fi password on that!

That's why you get lien releases from subcontractors before you pay the main contractor.

> The only way to configure/disable that is via a .cn app!

What does it even mean for an app to be ".cn"? Apps typically aren't identified by DNS names. Did you have to download it from a .cn domain? Is it just a roundabout way of saying the app was Chinese?

Hi, idiot here. I badly wanted a US-made robot vacuum that uses LiDAR for mapping and a camera for object classification. This does not exist. Your only options are Chinese-owned-and-operated.

I could flash them with Valetudo and wire them up to Home Assistant, but doing so requires me to solder shit to the JTAG circuit and buy some niche hardware, which requires me to open up the vac and potentially brick it. I'm not risking that on a $1200 device.

Unless I'm missing some hidden joke; this attitude is misanthropic. I'd like to see less of it in general, but I'd especially like to see less of it here.

This is a very uncharitable and hatingly-blinded take.

I'm reading this article and grinning, because someone somewhere at Deye knows they sold these inverters fraudulently. Some sales person out there just went into full ah-fuck-it mode and delivered shipments and shipments of these things. NICE.

This user's biography reads, "you are the least qualified to comment on the subject"

Sounds about right.

That part is independent of internet connection. Especially since you can't rely on the internet connection in case of power delivery issues. It's a completely different network.

> nothing to do with exclusivity agreements arranged between companies

The 2013 U.S. Supreme Court case depended on a plaintiff that was making enough money on textbook arbitrage to fund a legal case all the way to the Supreme Court. It provided new clarity on book distribution and geographical "exclusivity".

If software enforcement of device distribution agreements affects a large enough flow of capital, then corner cases will accrue enough economic impact to be tested in courts. Manufacturers do not have carte blanche to manipulate hardware remotely, e.g. they cannot take actions that could injure humans. Where are the limits? For now, we have many opinions and few laws.

> in breach of contract

I can't really figure out what they did that was in breach of contract. As far as I understand it, they don't do business inside the areas affected, so there is no contract to speak of. Instead, their authorized resellers seem to be the ones installing for their hardware; I don't even think it's legal to sell their hardware if it doesn't comply with FCC/etc guidelines.

Is geo-blocking illegal? Am I entitled to a refund if I import American hardware that refuses to operate in my country?

I think people were risking a broken setup for a big discount, and now it's come back to bite them in the ass. If the units affected were official installations done by their American reseller, their reseller wouldn't be so ready to offer up free replacements.

I like how you quoted forcing, but I very specifically did not use that term.

Had there been no exclusivity agreement, I think we can agree that the inverters would not of been bricked for being located in the wrong regions.

I think the malice from Sol-Ark here is that they are only offering a limited time deal, which may pressure people to pay up before the courts clear this up.

Regardless of who shares the majority of the blame, Sol-Ark, Deye or 3rd party vendors, this could of been handled better by all parties involved, and should not have harmed end consumers in this way.

Yeah, off grid (as in actually off grid) is a great example of ‘simple is better’ and ‘physical redundancy is essential’.

It’s also the place where money ($$) is often the most constraining factor, so cheap amazon shit tends to be the norm.

You return a solar inverter you already have installed? Maybe purchased years ago? And in the meantime you might be without power. That's not recourse.

There is no such thing as "grey market". USA is a free market. Everyone is authorized to sell all safe items.

I don't know which "this" was referred to, but I think we need laws to prevent a foreign company or hacker from shutting down our power.

There was an article on HN about a month ago, that two companies each have the ability to overload or shut down the entire grid in many parts of the states, just by their remote control of the solar panels and batterires.

They should be regulated like any other utility.

Civil contract disputes don't empower or obligate you to commit crimes in the process of trying to make things right.

The power inverters were *not their property*. Remotely accessing them, without authorization and with the intent of disabling them, is a textbook CFAA felony.

That's like saying if I punch someone because of a legal dispute, the law is to blame.

There is a US based company that is importing and selling these devices. Go after them.

Aren't some of those platforms more-or-less official outlets of the manufacturer for some brands already?

While it's entirely possible some of the storefronts are just flashing "official widgetco shop" as a credibility-enhancing gesture, it's probably also the easiest way if you're a Chinese firm with little understanding of global last-mile logistics and small-dollar payment processing to get into the direct-to-consumer business. I thought AliExpress was spawned from the B2B relationships Alibaba already had.

If you put up a rule like that, I suspect those sites would just pivot to being "Shopify for Chinese Vendors" -- offering an embeddable storefront that the manufacturer can put directly on their page. The only losers would be the consumers, who would no longer get the convenience of centralized search, being able to put together an order from ten vendors in a single shopping cart, and the ability to efficiently combine shipping.

And let's not say "we lost manufacturing." We GAVE IT AWAY. It's not just that foreign labour is cheaper, it's that Asia was industrializing later, so you get state-of-the-science facilities, while the American plant is 50 years old and nobody wants to splash the capex to rebuild it to modern standards.

What you're saying is that American companies should be able to profit from the price disparity between China and US by reselling Chinese goods to US consumers at massively inflated prices, but regular Americans should not be able to do the same on their own.

We need straight anti-trust unbundling. You should not be allowed to abuse your market position as a hardware manufacturer to push your network-connected software by tying them together as one product. At a minimum, the software should have to be developed by a separate business unit, using only documentation that's been published for everyone. (and yes, having been an embedded hardware/software designer, including for things like power electronics, I'm quite aware of the implications)

> If you go bankrupt you are mandated to just open source your software in that case.

Or insurance that covers the complete refund cost of all assets sold. There are cases where you may be using 3rd party software that you license that you cannot open source. And, in that case, you're on the hook for refunding the cost of the item.

What about mechanical devices that simply wear out? Even electronic devices can fail due to circumstances controlled neither by you nor by the manufacturer, like lightning strikes introducing violent transients in the grid supply.

Also, cool beans that that is the minimum you'll settle on but how on earth would anyone enforce that? Open sourced software is not enough by far to make something work perpetually: the software will need to be run somewhere and most likely (since you are talking about some sort of net-connected software if this is relevant in the first place) will need security patching to keep up with CVEs. Who is going to pay for that? I don't think it will be the bankrupt entity that stopped existing 10 years ago.

For it to be effective, all it needs is its complement: An easily recognizable green label saying "Doesn't connect to the internet", which is only allowed on the boxes of devices for which this is the case.

Maybe some more levels in the middle like "only connects to the internet for firmware updates" (yellow) and "doesn't require internet access for core functionality" (orange). Basically Nutri-Score [1] for hardware.

[1]: https://en.wikipedia.org/wiki/Nutri-Score

Not GP, but Victron makes some serious beasts. Their whole system is modular, so easy to expand, and it’s local-only by default.

I'm not fully convinced that legislation alone can fix all of our problems, but for what it's worth, I'm all for it.

That said, regulation probably won't solve my problem, because what I want are devices that are specifically not designed to just be cloud-connected thin-client devices. I doubt regulation is going to entirely prevent this class of device from existing. And it's only going to get worse: look at what Microsoft is doing, they're literally trying to shift Windows into being a fucking cloud service.

As long as companies can buy politicians in the US don't expect it to take off.

If anything regulators will prefer to abolish NON-connected devices.

If you want an electric truck (or potentially an SUV), consider looking at an Edison Motors pickup truck retrofit. They are technically Diesel Electric instead of pure electric but you can customize the battery load if you want to run full electric. They don't do all the stupid cloud connected software stuff and they are all about repairability/self maintenance.

Probably the only electric vehicle manufacturer that isn't egregiously tech-bro-y and dripping in dark patterns.

Can’t you use ubiquiti fully locally? I haven’t tested my setup but I can access the web ui directly through the device ip

It's likely they had no contractual agreement with the current owners of the inverters, and yet they have elected to wilfully damage the property of the current owners because they can.

Wilfully damaging someone else's property without permission of the current owner seems pretty malicious, regardless of whether the importers (or maybe someone who supplied to the importer) were in breach of a contract.

But regardless, they're clearly not owned by Deye any longer. Causing damage to an unrelated party in retaliation for a contract dispute between two manufacturers is not OK.

Deciding to enforce something like this after your product has already been sold/installed seems extremely dubious.

Even just building in the capability (assuming this wasn't installed via a generic software update, in which case I'd have some follow-up questions on the security against malware of these things) shows significant malicious intent.

Manufacturer did something with intent to damage someone else's property. Seems to fit the definition to me.

Frankly it doesn’t even require (special) maliciousness (per-se) - spinning up random ‘brands’ to sell to rubes on Amazon while obfuscating beneficial owners is essentially standard operating procedure.

The only surprising thing here is they took an action to brick something instead of just abandoning it.

> and for people to find out the supposedly registered company never existed

This already happened to me. Sort of.

Saw an advt for Air Jordans for $7. With a pic of actual Air Jordans. Thought to myself, "it's only $7, let's see what happens".

A very sorry looking pair of shoes arrived a couple weeks later. With "Air Jordan" printed on them. They weren't actual Air Jordans.

There was no way, absolutely no way, to get in touch with the Chinese company that did this.

They do in many cases. Example: GE CYNC Wi-Fi lights require a connection to Savant's servers, which I believe are split between US and CN. They are one of few vendors that make BR30 smart lights. Philips and LIFX aside, all of the other vendors require an Internet connection.

I have never had my utility power cut for any cause other than storm/ice damage. And it's generally back on within a day, without any involvement on my part. If a hailstorm destroys my rooftop panels or a misbehaving vendor remotely shuts off my inverter, these are problems I now have to solve for myself. No thanks.

As far I know, software like CADs also just stopped in russia after the war started.