EV Charger Security Flaws Discovered | Vulnerabilities & Risks

EV Charger Security: Vulnerabilities Discovered in Multiple Brands

A cybersecurity firm based in the U.K., Pen Test Partners, has recently uncovered security weaknesses in six different manufacturers of home electric vehicle (EV) chargers, as well as a significant public EV charging network. Most of the identified issues have since been addressed by the charger companies. However, these findings highlight the ongoing challenges presented by the largely unregulated landscape of Internet of Things (IoT) devices.

Brands Affected by Security Flaws

The vulnerabilities were detected in EV charging solutions from Project EV, Wallbox, EVBox, EO Charging (specifically the EO Hub and EO mini pro 2 models), and Hypervolt. Chargepoint, a large public charging network, was also found to have weaknesses. Notably, Rolec was examined but did not exhibit any vulnerabilities.

Security researcher Vangelis Stykas pinpointed several security shortcomings across these brands. Exploitation of these flaws could potentially allow malicious actors to compromise user accounts, disrupt charging sessions, and even transform a charger into a gateway for accessing the owner’s home network.

Potential Consequences of a Security Breach

A successful attack on a public charging station network could lead to the theft of electricity by unauthorized users, billed to legitimate driver accounts. Furthermore, attackers could gain the ability to remotely activate or deactivate charging stations.

Raspberry Pi and Security Concerns

Certain EV chargers, including those from Wallbox and Hypervolt, utilize a Raspberry Pi compute module – a cost-effective computer frequently employed by enthusiasts and developers.

Ken Munro, founder of Pen Test Partners, explained to TechCrunch that while the Raspberry Pi is excellent for hobbyist projects, it lacks a “secure bootloader,” making it unsuitable for commercial applications. Physical access to the charger could allow an attacker to obtain Wi-Fi credentials.

Munro emphasized that while the risk may be relatively low, charger vendors should not introduce unnecessary vulnerabilities. The methods used to exploit these weaknesses are surprisingly straightforward, easily taught within a matter of minutes.

OCPI Protocol Vulnerabilities

The company’s report also addressed vulnerabilities related to the Open Charge Point Interface (OCPI), a protocol designed to facilitate seamless charging across different networks and operators. This protocol, managed by the EVRoaming Foundation, aims to replicate the roaming experience of cellular networks.

Although OCPI is not yet widely adopted, vulnerabilities could potentially propagate between platforms if left unaddressed, creating a cascading effect. As Stykas clarified, a weakness in one platform could inadvertently introduce a vulnerability into another.

Threats to the Electric Grid

As the transportation sector increasingly electrifies, and more power is channeled through the electric grid, security breaches targeting charging stations pose a growing threat. Electric grids are not engineered to handle substantial, sudden fluctuations in power demand.

A large-scale attack that simultaneously activated or deactivated a significant number of DC fast chargers could potentially overload the power grid. Munro warned that these chargers could inadvertently be weaponized by malicious actors, causing widespread disruption.

“It doesn’t take much to overload and trip the power grid,” Munro stated. “We’ve inadvertently created a cyberweapon that others could use against us.”

Cybersecurity Challenges in the Expanding IoT Landscape

The vulnerabilities discovered in EV chargers, while specifically impacting the electric grid, are indicative of broader cybersecurity concerns. Frequent security breaches highlight systemic weaknesses within IoT devices, where rapid product development often overshadows robust security protocols.

Regulatory oversight struggles to maintain pace with the speed of technological innovation. Justin Brookman, director of consumer privacy and technology policy at Consumer Reports, explained to TechCrunch that enforcement of data security standards in the U.S. is limited.

While a general consumer protection statute exists, the likelihood of facing repercussions for building systems with inadequate security remains uncertain, according to Brookman. The Federal Trade Commission holds responsibility for data security enforcement within the United States.

The Internet of Things Cybersecurity Improvement Act, enacted last September, represents a step forward, though its application is currently restricted to federal government systems.

Progress at the state level is incremental. California’s 2018 legislation, prohibiting default passwords in new consumer electronics from 2020 onward, is a positive development. However, it largely places the onus of data security on individual consumers.

States like Colorado and Virginia have also implemented laws mandating reasonable security measures for IoT devices. These laws offer a foundational level of protection.

Currently, the FTC operates differently than agencies like the U.S. Food and Drug Administration, which pre-market audits consumer products. There is no pre-market security assessment for technology devices before they become available to the public. Similar conditions exist in the United Kingdom, as noted by Munro.

Several startups are attempting to address this issue. Thistle Technologies, for example, focuses on assisting IoT manufacturers in integrating security update mechanisms into their software. However, a complete resolution solely through private sector efforts appears unlikely.

Given the potential for EV chargers to uniquely threaten the electric grid, they may be included within the scope of critical infrastructure legislation. President Biden recently issued a memorandum emphasizing enhanced cybersecurity for critical infrastructure systems.

The memorandum acknowledges that disruption to these systems could inflict substantial damage on U.S. national and economic security. Whether these measures will extend to consumer products remains to be seen.

Correction: This article has been updated to reflect that researchers did not identify vulnerabilities in the Rolec home EV charger. The initial paragraph was revised to correct a previous editorial error.