Security flaws found in popular electric vehicle chargers – TechCrunch

UK cybersecurity firm Pen Test Partners has identified several vulnerabilities in the APIs of six household electric vehicle charging brands and a large public electric vehicle charging network. While charger makers solved most of the problems, the findings are the latest example of the poorly regulated world of Internet of Things devices, which are about to become ubiquitous in our homes and vehicles.

Vulnerabilities were identified in the API of six different electric vehicle charging brands: Project EV, Wallbox, EVBox, EO Hub by EO Charging and EO mini pro 2, Rolec and Hypervolt, and the Chargepoint public charging network. Security researcher Vangelis Stykas identified several security flaws between the different brands that could have allowed a malicious hacker to hijack user accounts, prevent uploading, and even turn one of the chargers into a “back door” on the owner’s home network. .

The consequences of a public charging station network hack could include theft of electricity at the expense of drivers’ bills and switching chargers on or off.

A Raspberry Pi in a Wallbox charger. (Picture: Pencil Test Partners (Opens in a new window))

Some EV chargers used a Raspberry Pi compute module, a low-cost computer often used by hobbyists and programmers.

“The Pi is a great hobby and educational computing platform, but in our opinion it is not suitable for commercial applications as it does not have what is known as a ‘secure bootloader’,” the founder of Pen Test Partners told TechCrunch. , Ken Munro. “This means that anyone with physical access to the outside of your home (hence your charger) could open it and steal your Wi-Fi credentials. Yes, the risk is low, but I don’t think charger providers should expose us to additional risk. “

The tricks are “really pretty simple,” Munro said. “I can teach you to do this in five minutes,” he added.

The company report, posted last weekend, addressed vulnerabilities associated with emerging protocols such as the Open Load Point Interface, maintained and managed by the EVRoaming Foundation. The protocol was designed to facilitate charging between different carriers and charging networks.

Munro likened it to roaming on a cell phone, allowing drivers to use networks outside of their usual charging network. OCPI is not widely used at this time, so these vulnerabilities could be designed outside of the protocol. But if left unaddressed, it could mean “that a vulnerability on one platform potentially creates a vulnerability on another,” Stykas explained.

Attacks on charging stations have become a particularly dire threat as more transportation becomes electrified and more energy flows through the electrical grid. Power grids are not designed for big changes in power consumption, but that is exactly what could happen if a major hack occurred that turned a sufficient number of DC fast chargers on or off.

“It doesn’t take much to make the power grid overload,” Munro said. “Without realizing it, we have created a cyber weapon that others could use against us.”

The “wild west” of cybersecurity

While the effects on the electrical grid are unique to electric vehicle chargers, cybersecurity issues are not. Routine hacks reveal more endemic problems in IoT devices, where being first to market often takes precedence over robust security, and where regulators can barely keep up with the pace of innovation.

“There really isn’t much of an app,” Justin Brookman, Consumer Reports’ director of consumer technology and privacy policy, told TechCrunch in a recent interview. The enforcement of data security in the United States falls within the purview of the Federal Trade Commission. But while there is a general-purpose consumer protection statute on the books, “it may well be illegal to build a system that has little security, it’s just whether or not it’s going to be enforced,” Brookman said.

A separate federal bill, the Internet of Things Cybersecurity Enhancement Act, passed last September, but it only applies broadly to the federal government.

There’s just a little more movement at the state level. In 2018, California passed a bill ban default passwords on new consumer electronics products from 2020 – useful progress certainly, but one that largely puts the burden of data security on consumers. California, like states like Colorado and Virginia, have also passed laws requiring reasonable security measures for IoT devices.

These laws are a good start. But (for better or for worse) the FTC is not like the US Food and Drug Administration, which audits consumer products before they go on the market. As of now, there is no security check on tech devices before they reach consumers. In the UK, “it’s the Wild West here too, right now,” Munro said.

Some new companies have emerged that are trying to tackle this problem. One is Thistle Technologies, which is trying to help IoT device manufacturers integrate mechanisms into their software to receive security updates. But it is unlikely that this problem will be completely solved only thanks to private industry.

Because electric vehicle chargers could pose a unique threat to the electricity grid, there is a potential for electric vehicle chargers to fall within the scope of a critical infrastructure bill. Last week, President Joe Biden posted a memo calling for greater cybersecurity for systems related to critical infrastructure. “The degradation, destruction or malfunction of the systems that control this infrastructure could cause significant harm to the national and economic security of the United States,” Biden said. Whether this will trickle down to consumer products is another question.

Leave a Reply

Your email address will not be published. Required fields are marked *