Vulnerabilities In Connected EV Chargers Could Be A Huge Problem

DEC 19 2018 BY MARK KANE 20

Connectivity opens new possibilities but needs to be secured.

Kaspersky Lab experts have discovered that some home charging stations (EVSE) connected to the Internet via Wi-Fi might carry vulnerabilities that can be exploited by cyber-attackers. At least one such EVSE from a major vendor was identified (it was reported to the vendor and already patched).

According to research, the consequences of a successful attack could include damage to the home electricity network.

Kaspersky Lab says that once cyber-attackers obtain access to Wi-Fi (through the most popular method of password brute forcing), they can easily find an EVSE’s IP address and then exploit any vulnerabilities and disrupt operations. In the case of EVSEs with vulnerabilities, there is a possibility to change the amount of charging power (current) up or down. Decreasing the current amount could leave the car not fully charged, while increasing the maximum current could cause a power overload or even a fire.

We can only imagine that hacking many EVSEs in a particular area could threaten the electric grid.

“Kaspersky Lab experts have discovered that electric vehicle chargers supplied by a major vendor carry vulnerabilities that can be exploited by cyber-attackers, and the consequences of a successful attack could include damage to the home electricity network. While modern electric vehicles are tested constantly for vulnerabilities, this research reveals that some of their essential accessories, such as battery chargers, may remain at risk.

Electric vehicles are becoming increasingly popular, as their development makes a vital contribution to environmental sustainability. In some regions, public and private charging points are now commonplace. In light of this growing usage, Kaspersky Lab researchers decided to investigate the security of widely available domestic electric vehicle chargers that include a remote access feature.

The researchers found a way to initiate commands on the charger, to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the car, the second one could potentially cause the wires to overheat on a device that is not protected by a trip fuse. If compromised, the connected charger could therefore cause a power overload that would take down the network to which it was connected. This could result in significant financial impact and, in the worst-case scenario, damage to other devices connected to the network.

To change the amount of electricity being consumed, all that an attacker would need to do is obtain access to the Wi-Fi network that the charger is connected to. Since the devices are designed for home users, security for the wireless network is likely to be limited. This means that attackers could easily gain access, for example, by bruteforcing all possible password options – a common method of attack. According to Kaspersky Lab statistics, 94 percent of attacks on IoT in 2018 came from Telnet and SSH password bruteforcing. Once inside the wireless network, the intruders can easily find the charger’s IP address, which, in turn, will allow them to exploit any vulnerabilities and disrupt operations.”

“To protect your smart devices, including electric vehicle accessories, Kaspersky Lab recommends the following security measures:

  • Regularly update all your smart devices to the latest software versions. Updates may contain patches for critical vulnerabilities, which, if left unpatched, could give cybercriminals access to your home and private life.
  • Do not use the default password for Wi-Fi routers and other devices. Immediately after install, change it to a strong password, and do not use the same password for several devices.
  • It is recommended to isolate the smart home network from the network used by your or your family’s personal devices for basic internet searching. This is to ensure that if a device is compromised with malware, your smart home system will not be affected.”

Dmitry Sklyar, security researcher at Kaspersky Lab said:

“People often forget that in a targeted attack, cybercriminals always look for the least-obvious elements to compromise, in order to remain unnoticed. This is why it is very important to look for vulnerabilities, not just in technical innovations, but also in their accessories – they are usually a coveted prize for threat actors. As we have shown, vendors should be extra careful with connected vehicle devices, and initiate bug-bounties or ask cybersecurity experts to check their devices. In this case, we were fortunate to have a positive response and a rapid patch of the devices, which helped to prevent potential attacks.”

Source: Kaspersky Lab via Green Car Congress

Categories: Charging

Tags: , ,

Leave a Reply

20 Comments on "Vulnerabilities In Connected EV Chargers Could Be A Huge Problem"

newest oldest most voted

“…could potentially cause the wires to overheat on a device that is not protected by a trip fuse”. What a shocking discovery: an incorrect electrical installation could be dangerous!

Nothing in that statement points to actual hazards to your house or the car if the installation is code compliant.

Yup. Most of us have smart meters, yet we don’t give a second thought to hacking worries.

I don’t have a Landis & Gyr Smart Meter on my house (they were notorious), in fact, my utility does not have Smart Meters yet (thankfully).

If people are worried about the car charging installation they should have a competent friend or professional electrician look things over – and see that everything is working properly with the car running at its maximum possible charging rate.

By that I mean the system should be stress tested to see that it will operate successfully under the toughest conditions for your particular installation, and should they be exceeded breakers will trip or fuses will blow to shut everything down.

I had to ‘Robustify’ my Schneider electric Wall Box since under ‘rated’ conditions the cord nearest to it would overheat. Now it runs stone-cold even after 10 hours at 30 amperes.

RIght. Install your charger correctly (use an electrician or just follow NEC Article 240) and fire should not be a risk. It more likely someone will find a way to use IoT to spring into the rest of your network, steal your identity, etc. That risk exists in most homes already due to smart speakers, dvd players, xboxes… So yes, please keep things patched.

EVSE are covered in NEC article 625, does that refer to article 240?

There would have to be a multitude of electrical coincidences and a serious breaker sizing error for this scenario to start a fire. It’s extremely unlikely. As for the exploitability of an IP device sitting on your home network that is venerable to brute force attacks (at a minimum)… yeah, add it to the list.

I’d never trust government funded and operated spy agency regardless what they say

LOL. Pretty dam funny joke. Yup, my cellphone is not gov’t funded, so I’m perfectly secure from the spy agency.

TL;DR

Idiots with brute forceable passwords are vulnerable.

Also those using non AES such as WEP and TKIP.

and even then, some apps are still using AES-128 and under.

“… potentially cause the wires to overheat on a device that is not protected by a trip fuse.” Nice they clarified that, but Kaspersky is sensationalizing something that is not valid for a properly installed EVSE. Any EVSE or wiring could fail for many other reasons outside of hacking, and that’s why there are electrical code standards for installation of circuit breakers. Property damage and fires are not a possibility – except for a mis-installation AND a fault – hacking or otherwise.

Would be nice to clarify the article that damage is only possible with a improperly installed EVSE, rather than further their misinformation.

“Would be nice to clarify the article that damage is only possible with a improperly installed EVSE, rather than further their misinformation.”

Agreed. I would go further and argue that even an improperly installed EVSE, which has nonetheless been operating successfully, would continue business as usual.
The current draw is defined by the EV, not by anything that can be jiggered in the EVSE.

Yeah, it would require an EVSE that has been software limited to protect a small conductor that has also had an improperly sized breaker used to protect it. I guess one more possibility would be to instruct the vehicle charger to pull more current that the EVSE service whip or J1772 lead could handle but I would suspect the EVSE to be fused against that regardless of how hackerish you can get with software.

Both the EV and the EVSE impose current limits.

” . . . the consequences of a successful attack could include damage to the home electricity network”.
Sorry, but this is fearmongering BS.

In my admittedly limited understanding of the EV – EVSE interaction;
(a) The J1772 interconnection protocol is mercifully ultra simple, being strictly analog and a total mystery to anything digital.
(b) The EVSE could falsely advertise itself to a 3.3kW-charging EV as 20kW-capable, and the current draw would still be determined by the EV at ≈14Amps (3.3kW). Nothing to see there!
(c) Any EVSE current draw exceeding its design parameters would simply pop the appropriately sized circuit breaker.

As they used to say in my youth “Pull the other leg; it’s got bells on it!”

First there was that article about FLO charging stations (which don’t use wi-fi) that had disabled comments, despite totally being a normal article and not a paid advertisement, now here’s an article scaremongering about wi-fi vulnerabilities. Smells like a native advertising campaign.

Careful: If you say anything against FLO you’ll have your comment removed… I know.

AC EVSE do not generally have a digital communications path into the EV, only the DC chargers do. So the risk to the car is limited. Yes they might be able to blow a fuse or trip a circuit breaker, but only if you car can take more current than your circuit breaker is rated for. Yes they could stop your car from charging.

The real risk is DC chargers, especially the ones that provide a full internet protocol path into the car. I understand that is a minority of DC chargers in the US.