question

jens001 avatar image
jens001 asked

Security Issue / Password / Bluetooth / SmartSolar MPPT 100/20

Hello everybody,

I was somehow surprised as a friend of mine demonstrated to login into my SmartSolar with the default pin 000000 - I directly changed the password (which was not set to default) to a new password - but still he was able to login.

The app on ios confirms the password change - it even confirms that the old password / pin is not set to default.

Firmware SmartSolar MPPT 100/20 is v1.39
Firmware VictronConnect on IOS is v5.7

Any hint or idea is welcome

Thanks
Jens

VictronConnectBluetoothsoftware
3 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

adev avatar image adev commented ยท

do you mean you have changed the pin but are still able to log in from another devicec with the default pin?

1 Like 1 ยท
jens001 avatar image jens001 adev commented ยท

yes, true

1 Like 1 ยท
jens001 avatar image jens001 commented ยท

Maybe one more detail:

the Smartsolar covers a Bluetooth Interface Rev2 with Firmware 2.14 and Bootloader v1.08

1 Like 1 ยท
4 Answers
jens001 avatar image
jens001 answered ยท

So I tested with a second iPhone and I was not able to connect with default pin - nevertheless I was able to login with the current pin (which I set).

Afterthat I changed the pin with the second device (iOS) and I was still able to login with my first device. So this means if you have a device connected to a Victron device at a certain time before you can login forever ... to be honest for me this seems to be a security bug.

5 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

mvader (Victron Energy) avatar image mvader (Victron Energy) โ™ฆโ™ฆ commented ยท

Hi @jens001, yes the bug is that, using the officially released firmware, its not possible to remove any previously paired phone.

The good news is that its fixed already, in the new situation, changing the pin code will do more than just change the pin code: it will also remove all stored pairings with other phones, forcing those phones to re-pair using the new pincode.

And also, weโ€™ve added that VictronConnect will warn you if you havenโ€™t yet changed the password to something other than the default.


You can already test this yourself, its available as a beta, see here: https://www.victronenergy.com/live/victronconnect:beta

Ps. Can I ask you to use a comment to this one when replying? Not a new answer? Thanks!

0 Likes 0 ยท
jens001 avatar image jens001 mvader (Victron Energy) โ™ฆโ™ฆ commented ยท

Hi @mvader (Victron Energy Staff),

thanks for your answer and the possibility to test the next beta.

I installed the new firmware on my Victron hardware - I changed the pin with the beta app on iOS device 1 and was able to login in.

Afterthat I tried to login with iOS device 2 - also with the beta app - and I could not login. The app tried connecting to the Victron hardware and stopped at 20% - not showing any login screen - just saying "it will be connected". I was able to change the screen to list all Victron devices. Seems that former pairings are removed - but new pairing is not possible. Let me know if I can share feedback directly in the beta test. Would like to support.

Jens

0 Likes 0 ยท
mvader (Victron Energy) avatar image mvader (Victron Energy) โ™ฆโ™ฆ jens001 commented ยท

If bluetooth were a thing, Iโ€™d have thrown it out of the window now :-).

But yes, you can participate. See mail.

0 Likes 0 ยท
Peter avatar image Peter mvader (Victron Energy) โ™ฆโ™ฆ commented ยท

What is the latest arrangement for the Bluetooth password?

I'm keen to get a MPPT and DCDC charger but how does it work with 2 bluetooth devices?


How easy is it to guess the password?

Is the default password removed after its changed?

Can you hide the device from bluetooth unless pairing?


Thanks


0 Likes 0 ยท
mvader (Victron Energy) avatar image mvader (Victron Energy) โ™ฆโ™ฆ Peter commented ยท

Goodmorning! The only real solution for security and bluetooth is to disable it. So if youโ€™re worried about it, or otherwise need to be 100% secure, then disable it.

The pin code is not easy to guess, as you know its 6 digits.

Hiding a device from scanning is impossible. Such feature is not part of the official Bluetooth specification

All the best

0 Likes 0 ยท
Pat Davitt avatar image
Pat Davitt answered ยท

My suspicion is that the PIN (password) is only used during the pairing process. Once a device is paired, it has access until the pair is removed.

Just a guess but try un-paring the device with the "default" password and see what happens.

Pat

2 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

jens001 avatar image jens001 commented ยท

Thanks, @Pat Davitt.

My expectation would be, that the app shows me all devices (iOS or other) which are already connected to my Victron hardware. But I don't find any overview to remove devices.

On the other hand I can force my friend to uninstall his app - but how can I now be sure if one of my neighbours is already connected e.g. via Raspberry and is controlling my Victron and in best case only reading values.

Do you have the possibility to use a second device (iOS) to connect with default pin?

0 Likes 0 ยท
mvader (Victron Energy) avatar image mvader (Victron Energy) โ™ฆโ™ฆ commented ยท

Indeed Pat. So what was missing is a feature to unpair other phones or tablets (other than getting your hands on that tablet and doing it on that device itself)

0 Likes 0 ยท
jens001 avatar image
jens001 answered ยท

I did another check - deinstallation of the app does not prohibit the access of a device that was properly connected before. Is granted access for iOS devices stored on the Victron hardware ? Do I have to reset the Victron hardware in order to prohibit further access ?

Interesting stuff ...

1 comment
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

mvader (Victron Energy) avatar image mvader (Victron Energy) โ™ฆโ™ฆ commented ยท

To do that, you need to remove the pairing from the phones bluetooth settings. The app doesnโ€™t manage the pairings, so removing the app also doesnโ€™t remove the pairing.

0 Likes 0 ยท
Guy Stewart (Victron Community Manager) avatar image
Guy Stewart (Victron Community Manager) answered ยท

Once a Victron device is paired with a Phone, it does not need the password again to connect.

Otherwise a password would be required every time you wished to use the app, desirable for the security conscious, but quite inconvenient for many other users.

Requiring a password every time would be another possible feature but not one that is currently available.

This behaviour is common for most other bluetooth devices I have. An initial confirmation with a code, and then fast pairing with known devices from then on.

1 comment
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

jens001 avatar image jens001 commented ยท

Dear Guy,

thank you for your reply. I can understand that you do not want your users to put the password every time they login. Nevertheless for this functionality you can simply use onboard tools like password or keyword managers. I would expect most iOS and Android users to have such a keyword manager.

I would love to put my key every time to have a secure system onboard instead of not knowing who already has access to my battery system and can play with the settings of my power system.

This is a clearly a back door to my system - I even have access to other campers now - which I know - which were last weekend at the same camp spot.


Question:

How can I prohibit access to other users from my power supply system ???


Best regards,

Jens

1 Like 1 ยท

Related Resources

VictronConnect Manual

Download for iOS / Android / Mac / Windows

Additional resources still need to be added for this topic

VictronConnect bluetooth troubleshooting guide