Vulnerabilities found in popular EV chargers – TechCrunch


PenTest Partners, a UK cybersecurity company, has identified several vulnerabilities in the APIs of six EV charging brands and large public EV charging networks. Charger manufacturers have solved most of the problems, but the results are the latest example of the world of under-regulated Internet of Things devices and are almost ready to spread into our homes and cars. ..

The vulnerabilities were identified in the APIs of six different EV charging brands (Project EV, Wallbox, EVBox, EOChargings EOHub and EOmini pro 2, Rolex, Hypervolt) and the public charging network Chargepoint. Security researcher Vangelis Stykas could allow a malicious hacker to hijack a user account, block charging or turn one of the chargers into a “back door” to the owner’s home network. We have identified a number of vulnerabilities for various brands.

The consequences of a hack into a public charging station network can be power stealing or switching the charger on and off at the expense of the driver’s account.

Raspberry cake on the wallbox charger. (Image: pen test partner (Opens in a new window))

Some EV chargers used the Raspberry Pi compute module, an inexpensive computer that is widely used by enthusiasts and programmers.

“Pi is a great platform for hobby and educational computing, but it is not suitable for commercial applications because there is no such thing as a ‘secure bootloader’,” Ken Munro, founder of Pen Test Partners, told TechCrunch. Said. “That means anyone with physical access to the outside of the house (ie the charger) can open the house and steal WiFi credentials. Yes, the risk is low. , I don’t think charger suppliers should expose us to any additional risk. “

Hacking is “really pretty easy,” said Munro. “I can teach you this in 5 minutes,” he added.

Company report, released last weekend, covers vulnerabilities related to new protocols such as Open Charge Point Interface, which are maintained and maintained by the EVRoaming Foundation. This protocol was developed to enable seamless charging between different charging networks and operators.

Munro compared it to roaming on a mobile phone, which allows drivers to use networks other than the normal charging network. Since OCPI is not widely used today, these vulnerabilities may have been developed from a protocol. However, if left untreated, it could mean that “a vulnerability on one platform can create a vulnerability on another platform,” explained Stykas.

Charging station hacking has become a particularly malicious threat as more traffic is electrified and more electricity flows through the grid. The power grid isn’t designed to handle large swings in power consumption, but it does happen in the event of a major hack that turns a sufficient number of DC fast chargers on or off. There probably is.

“It doesn’t take long for the network to trip and overload it,” says Munro. “We accidentally developed a cyber weapon that others can use against us.”

Cyber ​​security “Wild West”

The grid impact is unique to EV chargers, but cybersecurity issues are not. Routine hacking exposes unique problems with IoT devices. In this edition, the first market is often given precedence over solid security, and regulators are struggling to keep up with the pace of innovation.

Justin Brookman, Director of Consumer Privacy and Technology Policy at Consumer Reports, told TechCrunch in a recent interview. Implementing data security in the United States is the responsibility of the Federal Trade Commission. Although the book contains general consumer protection law, “building an unsafe system can be illegal, but only if you are forced to,” says Brookman. I did.

Another federal bill, the Internet of Things Cyber ​​Security Improvement Act, was passed last September but is only broadly applicable to the federal government.

There is little movement at the state level. In 2018 California passed a bill banning standard passwords since 2020 – certainly a useful advancement, but it puts data security first and foremost in the hands of consumers. California and states like Colorado and Virginia also have laws in place that require adequate security measures for IoT devices.

Such a law is a good place to start. But (for better or for worse) the FTC is different from the U.S. Food and Drug Administration, which tests consumer products before they hit the market. There are currently no security checks on technology devices before they reach the consumer. In the UK, “this is also a pioneering Western era,” said Munro.

There are several startups working on this topic. One of them is Thistle Technologies, which is trying to help IoT device manufacturers incorporate the mechanism for receiving security updates into their software. However, the private sector alone is unlikely to fully resolve this issue.

EV chargers can be included in the scope of critical infrastructure legislation as EV chargers can pose a unique threat to the power grid. Last week, President Joe Biden announced a memorandum to strengthen the cybersecurity of systems related to critical infrastructures. “Deterioration, destruction, or malfunction of the systems that control this infrastructure can seriously affect the national and economic security of the United States,” said Biden. Whether this will permeate consumer goods is another question.

Vulnerabilities Found in Popular EV Chargers – TechCrunch Source link Vulnerabilities in Popular EV Chargers – TechCrunch


About Author

Leave A Reply