Mind Circuitry

technical

Recently, I've invested in a GivEnergy All-In-One (AIO) battery and Gateway to be smarter with our energy management with an aim of reducing our bills. This article documents the initial installation, with the main focus on the security configuration of the devices.

NOTE: I'm assuming an element of technical knowledge from the reader here, this is by no means a HOWTO guide.

Installation

As part of the commissioning, the installation engineers requested my wireless network details so the devices could communicate back to the GivEnergy Cloud, and once this was done – the only advice I received was to “change the password of the portal for the devices”. So, better go and do that first then!

First, I needed to find the IP addresses of the devices. Both the AIO and Gateway connect to the wireless separately, so I was looking for two IP addresses. I run Unifi Access Points and Switches at home, so this was a breeze. Once found, dropped the addresses into a browser and logged in with the default credentials (admin\admin).

GivEnergy logon credential configuration

When changing the password for the admin account to the devices, first thing I noticed is the clear text password field! 😱 Argh! oh well, it is what it is.. better get it updated first.

Lets have a look at the settings and menu choices we have:

Mode Selection

This appears to allow us to change between AP and STA mode. Noted. Looks good so far, its on STA mode.

GivEnergy Working Mode Configuration

AP Interface Setting

This enables the Access Point of the device for configuration. Hmm, looks concerning, but the previous setting looked like this wasn't enabled? Maybe it's not so bad?

GivEnergy AP Interface Setting

STA Interface Setting

This allows us to configure the device onto the home wireless network. Sigh, more clear-text password fields, but OK – let's move on.

GivEnergy STA Interface Setting

I'm not a security professional, so there maybe more issues present, but these concerns jumped out at me here:

  1. All password and SSID passphrase text boxes were clear text.
  2. AP Interface Security Mode is Open by default!
  3. If I was being really picky, it's HTTP only, and no HTTPS.
  4. I noticed TELNET (not SSH) was open. (I'm going to dig into this in the future)

Digging deeper into these as part of improving the security stance, I discovered the following:

  • The device password field is 20 characters maximum length
  • The SSID passphase fields is 63 characters maximum length
  • The 'Hidden' tickbox on the AP Interface appears to make the AIO\Gateway unavailable in the GivEnergy Portal
  • If changing the AP SSID name, it also appears to make the AIO\Gateway unavailable in the GivEnergy Portal
  • The Mode Selection between AP and STA does NOT disable the AP SSID! The AP SSID was being broadcasted, no matter which option was set!

In terms of basic security, this is sub-optimal. In summary, if I was do not do any configuration (as a basic consumer) a bad-actor could connect wirelessly to the AP mode of the device, and browse my network for other devices to exploit\pivot\etc or use my bandwidth for free. I repeat, SUB-OPTIMAL.

Improving Security

Firstly, I configured the GivEnergy devices as best I can taking into account all of the above, which involved one solitary, but important step:

  • Encrypting the AP Interface mode with a strong password and WPA2 encryption. This did NOT break communication back to the GivEnergy Cloud, which was nice 😉.

My house runs Unifi for Access Points, Switches and Camera's, and I love it! As part of this configuration, there are a number of key VLAN's configured:

  • Management (Wired devices and native VLAN)
  • Wireless (Single SSID associated with it)
  • Security (Camera's, NVR etc)
  • DMZ (NextCloud instance)

Although these devices were only on my Wireless VLAN, I was still very uncomfortable with this, as this VLAN is used heavily by everyone in the house and has a lot of devices that connect to it. These are the steps I took to improve security:

Within Unifi: 1. Create a separate Wireless Network called “Energy” 2. Create a separate VLAN and publish the SSID only to that VLAN. 3. Create a WiFi Speed Limit profile and attach to the new “Energy” network. 4. Enable MAC Address filtering on the “Energy” network for only the GivEnergy devices

At the firewall: 1. Ensure only HTTP, HTTPS, NTP, DNS, and TCP/7654 could access outbound network. 2. Ensure no traversing of VLAN's was possible from “Energy”, but allow “Management” access to “Energy” for configuration of the device portals.

Note: There is probably more I can do here at the firewall level, but leaving that for another article. I'd like to understand what traffic goes out, and to what IP addresses, and lock it down just to accessing those ranges if possible.

Pitfalls

When configuring these improvements, there were a couple of issues that tripped me up! When configuring the wireless settings on the Gateway, I accidentally changed the SSID or password on the STA mode setting (see point #1 below), and ended up locking myself out of the administration portal for that device. I learnt some things here:

  1. Don't drink beer and watch TV at the same time of making critical configuration changes 😉
  2. If wanting to use LAN instead of WiFi, you can do but you need to change DIP switches on the side of the Gateway. I never got this working, it could have been related to point #1, or just me being impatient.
  3. Not sure what triggered this, however after some time of trying to get access through the LAN, the wireless module on the Gateway reset itself. So, I reconnected in via the AP mode with OPEN Security (and a reset admin password) and re-configured everything again. Not sure if this was the changes of DIP switches to enable LAN, or the fact that the WiFi module couldn't connect to the provided SSID.

The manual outlines the DIP switches settings if you need to understand them and it appears like you cannot have both? Makes me think – If in LAN mode, will that disable the AP Mode Setting? All of point #3 is one to understand another day, and document appropriately.

The mobile app has two settings – “Home” and “Away”. Home connects locally via IP, whereas the “Away” connects via the GivEnergy Cloud. Now that the GivEnergy devices are isolated on their own VLAN, the Mobile app does not find the devices when at “Home”. This I assume is down to broadcasting traffic and inter-vlan traffic being blocked. It's not a major concern, as you can still see data when “Away” and the portal still works fine. Again, another one to investigate for another day.

I'm not 100% happy with this configuration, however it was fine for now, and I I was keen to get the cost saving elements configured up so I can start saving money! I plan to revisit security of these devices with a view on LAN configuration, disabling the AP mode completely, and further investigation into secure firewall configuration.

Energy Configuration

Now that my devices are configured up, and more secure than “factory default”, it was time to turn my attention to ensuring maximum cost saving, and configuring them to charge during the lowest tariff period of the day.

I decided to use Octopus Agile – a beta smart tariff in the UK that provide access to half-hourly energy prices, tied to wholesale prices and updated daily. The plan was to charge my battery up at the cheapest point, and draw from the battery at the most expensive time of day (usually between 4pm – 7pm).

Example Octopus Agile Tariffs

You can see the historical data of their tariffs here here

As there was no information provided to me by the installer's, it was down to me on how to figure how to configure the charging schedules. What I learnt here, may help others to reach the optimum process quicker!

Mobile App

First, the obvious place to look, I discovered I could set a single charging period per 24hr period via the mobile app. Not a bad start, however, it's only a single charge period and checking the historical data from the above website, I can see that these time periods change daily, and more noticably at weekend periods.

Mobile - Setting Charge Period

GivEnergy Portal

Once you've found the method of configuring this, it allowed for more charging period, however they are still static time periods. For note, the way to do this is go to My Invertors > Remote Control on the All-In-One:

GivEnergy Portal - Remote Control

Once there, you configure the time period that you want it to start and end charging, along with maximum percentage. It's got a weird read and commit process on each setting. There are 10 time periods you can have, and you can also set discharge periods.

Setting GivEnergy Charging Periods

Still this isn't dynamic! What else?

HomeAssistant

I'm also running a HomeAssistant installation at home, and perhaps this can do it with it's automations? Yes it can, however it isn't by any means simple. Firstly, it requires the GivTCP Addon installing in HomeAssistant. That addon then needs access to your GivEnergy devices, which if you recall from above, are on an isolated VLAN to my other devices. So, some Inter-VLAN firewall-rule-hackery takes place, and they can now see the devices. Next hurdle is there appears to be some bug around pulling data from them.

I gave up here as after some more internet searching I found the following solution!

Octopus R&D Labs

Octopus Energy have an R&D Labs site that utilises the GivEnergy API to schedule charging at low tariff periods! Fan-bloody-tastic!

Configuration was actually quite simple – get the API details from GivEnergy Portal, create a Device Group and add in your GivEnergy Devices. Also, put in your Octopus Agile API details (found within My Account in your Octopus Portal).

The R&D site also includes a number of guides on how to configure charging based on lowest tariffs:

Octopus R&D Labs Guides

Following the guide was simple, and so far after a few days I can say that this appears to be working as intended.

As with any pre-release\beta software, we should always be mindful that features can change, but so far – this looks excellent. A key point to remember (and it does tell you this during configuration) is that this will overide any configuration set in GivEnergy, although the time periods may still be set.

Conclusion

From this, we've learnt a good deal:

  • It is highly insecure as factory default, and MUST be secured!
  • Some of this security configuration can be daunting for a non-technical person. Always see advice from a trusted techie\expert to help 😉
  • I'm not affiliated with Octopus, however their R&D Labs made the scheduling so simple. This ideally needs to be better advertised\outlined when signing up to their Agile Tariff.

I'll investigate into the networking aspects further in a separate post, as I am keen to access these devices via LAN cabling. From reading the Givenergy community forum posts, it should be as simple as flicking a DIP switch.. but that didn't work so well for me! This said, I need to run some cabling in the house first before I get to make this happen.

#GivEnergy #Security #Energy #Technical