With many devices rushing to connect to the IoT (Internet of Things), security does not seem to get a high priority before roll-out. Later on, the third-party security experts poke around and expose the vulnerabilities and the suppliers rush to slap Band-Aids over their poor programming.
A case in point appears to be EV chargers. A recent report by PenTest Partners revealed issues with a number of brands.
These days, everyone wants to be able to control things with an app on their phone. Whether it is scheduling the robot lawn mower, or being alerted to empty the bag in the robot vacuum cleaner charge station, or knowing the state of charge in the EV in the garage, convenience is king.
As soon as an app is involved in communicating with another device either wirelessly or over the internet there exists the potential for vulnerabilities that can be exploited for nefarious purposes. These vulnerabilities can be present in the communication pathways, the API (application programming interface), the cloud-based platform controlling and storing data, and so on.
EV chargers are no different. They allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, along with many other functions.
So what could possibly go wrong?
The report summarises their findings as:
- We found vulnerabilities that allowed account hijack of millions of smart EV chargers
- Several EV charger platforms had API authorisation issues, allowing account takeover and remote control of all chargers
- One platform had no authorisation at all: knowing that a short, predictable device ID allowed full remote control of the charger
- The same charger had no firmware signing, allowed new firmware to be pushed remotely and the charger used as a pivot on to the home network
- One public charging platform exposed an unauthenticated GraphQL endpoint that we believe also exposed all user and charger data
- Some EV chargers were built on a Raspberry Pi compute module, which could allow an easy extraction of all stored data, including credentials and the Wi-Fi PSK [pre-shared key used for security]
- As one could potentially switch all chargers on and off synchronously, there is potential to cause stability problems for the power grid, owing to the large swings in power demand as reserve capacity struggles to maintain grid frequency.
Well, that’s all peachy then.
Because there are many different public chargers available, a shared inter-operability protocol is emerging through the Open Charge Point Interface (OCPI). Ultimately, a user with an account on one charge provider’s system can use other providers’ systems and be cross-billed, just like international roaming for smartphones.
The increased interoperability of OCPI creates some intimidating security problems: it means that a vulnerability in one platform potentially creates a vulnerability in another. Any one platform that a charging firm have an OCPI connection to potentially exposes their own chargers and security.
The consequences include:
– Theft of electricity by account compromise, charging the costs to legitimate users.
– Preventing legitimate users from charging, by sending messages to stop the charger.
– Causing grid stability problems by stopping, starting and stopping charging across many chargers synchronously.
[…] By switching on, off, on, off a large number of powerful chargers at once, one can destabilise the power grid. Whilst our power generators make huge efforts to maintain stability, these powerful chargers and security flaws combined have inadvertently created a cyber weapon that others could use to cause widespread power cuts.
The report’s conclusion is sobering:
There has clearly been a distinct lack of security assurance in the smart EV charger space. There’s something of a EV ‘gold rush’ going on as homes equip themselves with chargers and the public charging infrastructure offer more and more powerful charging.
Basic API security has been missing, as has some basic secure hardware choice. Manufacturers have exposed users to fraud and/or prevented their cars from charging. They’ve also unintentionally created a method for others to destabilise our power grid.
Please share this article so others can discover The BFD.