question

jens001 avatar image

Security Issue / Password / Bluetooth / SmartSolar MPPT 100/20

Hello everybody,

I was somehow surprised as a friend of mine demonstrated to login into my SmartSolar with the default pin 000000 - I directly changed the password (which was not set to default) to a new password - but still he was able to login.

The app on ios confirms the password change - it even confirms that the old password / pin is not set to default.

Firmware SmartSolar MPPT 100/20 is v1.39
Firmware VictronConnect on IOS is v5.7

Any hint or idea is welcome

Thanks
Jens

VictronConnectBluetoothsoftware
3 comments
10 |3000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

do you mean you have changed the pin but are still able to log in from another devicec with the default pin?

Maybe one more detail:

the Smartsolar covers a Bluetooth Interface Rev2 with Firmware 2.14 and Bootloader v1.08

4 Answers
jens001 avatar image

So I tested with a second iPhone and I was not able to connect with default pin - nevertheless I was able to login with the current pin (which I set).

Afterthat I changed the pin with the second device (iOS) and I was still able to login with my first device. So this means if you have a device connected to a Victron device at a certain time before you can login forever ... to be honest for me this seems to be a security bug.

3 comments Share
10 |3000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Hi @jens001, yes the bug is that, using the officially released firmware, its not possible to remove any previously paired phone.

The good news is that its fixed already, in the new situation, changing the pin code will do more than just change the pin code: it will also remove all stored pairings with other phones, forcing those phones to re-pair using the new pincode.

And also, we’ve added that VictronConnect will warn you if you haven’t yet changed the password to something other than the default.


You can already test this yourself, its available as a beta, see here: https://www.victronenergy.com/live/victronconnect:beta

Ps. Can I ask you to use a comment to this one when replying? Not a new answer? Thanks!

jens001 avatar image jens001 mvader (Victron Energy) ♦♦ ·

Hi @mvader (Victron Energy Staff),

thanks for your answer and the possibility to test the next beta.

I installed the new firmware on my Victron hardware - I changed the pin with the beta app on iOS device 1 and was able to login in.

Afterthat I tried to login with iOS device 2 - also with the beta app - and I could not login. The app tried connecting to the Victron hardware and stopped at 20% - not showing any login screen - just saying "it will be connected". I was able to change the screen to list all Victron devices. Seems that former pairings are removed - but new pairing is not possible. Let me know if I can share feedback directly in the beta test. Would like to support.

Jens

If bluetooth were a thing, I’d have thrown it out of the window now :-).

But yes, you can participate. See mail.

Pat Davitt avatar image

My suspicion is that the PIN (password) is only used during the pairing process. Once a device is paired, it has access until the pair is removed.

Just a guess but try un-paring the device with the "default" password and see what happens.

Pat

2 comments Share
10 |3000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Thanks, @Pat Davitt.

My expectation would be, that the app shows me all devices (iOS or other) which are already connected to my Victron hardware. But I don't find any overview to remove devices.

On the other hand I can force my friend to uninstall his app - but how can I now be sure if one of my neighbours is already connected e.g. via Raspberry and is controlling my Victron and in best case only reading values.

Do you have the possibility to use a second device (iOS) to connect with default pin?

Indeed Pat. So what was missing is a feature to unpair other phones or tablets (other than getting your hands on that tablet and doing it on that device itself)

Guy Stewart (Victron Community Manager) avatar image

Once a Victron device is paired with a Phone, it does not need the password again to connect.

Otherwise a password would be required every time you wished to use the app, desirable for the security conscious, but quite inconvenient for many other users.

Requiring a password every time would be another possible feature but not one that is currently available.

This behaviour is common for most other bluetooth devices I have. An initial confirmation with a code, and then fast pairing with known devices from then on.

1 comment Share
10 |3000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Dear Guy,

thank you for your reply. I can understand that you do not want your users to put the password every time they login. Nevertheless for this functionality you can simply use onboard tools like password or keyword managers. I would expect most iOS and Android users to have such a keyword manager.

I would love to put my key every time to have a secure system onboard instead of not knowing who already has access to my battery system and can play with the settings of my power system.

This is a clearly a back door to my system - I even have access to other campers now - which I know - which were last weekend at the same camp spot.


Question:

How can I prohibit access to other users from my power supply system ???


Best regards,

Jens

jens001 avatar image

I did another check - deinstallation of the app does not prohibit the access of a device that was properly connected before. Is granted access for iOS devices stored on the Victron hardware ? Do I have to reset the Victron hardware in order to prohibit further access ?

Interesting stuff ...

1 comment Share
10 |3000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

To do that, you need to remove the pairing from the phones bluetooth settings. The app doesn’t manage the pairings, so removing the app also doesn’t remove the pairing.