Unfortunately, there is a security issue in the APP

Unfortunately, there is a security issue in the APP. You can deactivate the AC output in the APP without registration or a PIN query. Thus, anyone who has installed the APP can connect via Bluethooth and deactivate the AC output of my EP600. The same applies to my AC200 Max and my EB03, which I use as a UPS for my alarm system. In off-grid mode, you can turn off the power from the outside.

1 Like

Hi @Kbuettgen

i think that is not 100% true. At least for what i noticed so far.

To control the powerstation in the App, you need to scan a QR Code or type the Serial Number. No one can do this, when you dont have physical access to the unit.

Greetings

Erik

Unfortunately not … I can scan and Connect the device via Bluetooth and see the power switch which I can turn off and on… I can do the same with an ESP32 where I install a small software (BLUETTI_ESP32)

Ahh, thats right. i also play with the Bluetti_MQTT Software and it let me connect via bluetooth without anything.

I understand why you concernd about this but lets face it. Bluetooth doesnt have that much range. In super perfect conditions maybe 10m in most cases maybe 5m. To abuse this, you need to be really close to the powerstation. Otherwise the connection dont will be really relyable.

Maybe there can be add a Software feature where you can set a pin for the bluetooth connection. Like the victron Solar chargers.

1 Like

:+1:… Yes, the function only needs to be stored in the IOT receiver

@BLUETTI Can you move this Topic to the “App Section”?

@BLUETTI will do it. For the opinion, I will give feedback to our relative department.

@Kbuettgen
i can tell you much more, you can connect to any Bluetti device and control it over Internet (if device have built in WIFI)
you don’t need to scan qr code from device

i wrote about it to Bluetti support, but they don’t care about this issue

I also reported this to the German support

There is no GDPR violation, because you will get no personal data of customer, you can only control someones device

In order to check this, I would need to know how the control over the Internet works

You just need to know serail number of device, its not hard to get it you only need to brute it

Hi
The Range of the Bluetooth is amazing! im am sitting on the 1st Floor and die Box is Downstairs.
Without a pincode its not safe so far!
Anyone who knows the Victron app can tell a story about that.There is a pincode that must be change at the first time :-)

Greetings from Hamburg
Daniel

2 Likes

@newvol We have addressed this issue. There will be an update in the near future. Please don’t worry.

1 Like

Hello team, when can I expect a solution? It’s better to increase the security of your products, instead of removing more and more basic functions from the app. @BLUETTI_CARE

@newvol No, you cannot connect to any Bluetti device over Internet by just knowing its serial number.
.
Bluetti MQTT cloud is read and write accessible for a known serial number only:

  • by the App with a custom client-id UUID, a 32 bytes hex code and an algorithm generated 8 bytes OTP serial hash
  • by the integrated IoT controller with a 26 bytes client-id, a IOT prefixed serial number and an algorithm generated 8 bytes OTP serial hash

An user by only knowing a serial number can’t do anything because he will not know any of the client-ids and is unaware of the algorithm used to generate the OTP serial hash.
.
Please refrain to spread stupid misinformation.
.
For what regards bluetooth, instead of implementing a whole pin code system which I don’t really think it could be an option at this stage of development, probably it will be easier to implement the authentication over bluetooth with the fixed last 4 or 8 numbers of the device serial number (which should be then shown as **** in the list of detected devices).

YES :) :clap: :clap: :heart_eyes: :smiling_face_with_three_hearts: :grin:

Nice! Thanks for sharing the Screenshot

Hmm, I don’t see it … different Version?


You may need to perform the firmware update of the EP600 to see the point