What Are Smart EV Chargers?
First of all, there are two types of smart EV chargers: domestic and public ones.
Domestic or home smart EV chargers share a data connection with a Cloud-based platform. Just like about every other smart device these days, they come with built-in Wi-Fi connectivity. Thus, allowing users to communicate with the device via an app. Users can, for example, remotely initiate, monitor or check a charge. Decide to charge off-peak only. Connect the charger to their solar grid, and more. A domestic smart EV charger can also send a notification to the user when their vehicle has finished charging. Or remind them to plug in their car. Public smart EV chargers, or the ones users may find at their workplace are connected to a charging platform with multiple charging stations. An identification system (RFID or a mobile app, for example) connects the vehicle and driver to a charging event at a charging point and automatically bills the subscriber. Unregistered users may be able to pay with a credit or debit card. Operators can create different groups, pricing models and packages for different subscribers.
API is the Culprit
PenTestPartners discovered numerous security flaws in smart EV chargers. In most cases, the API was the culprit. API is an acronym for Application Programming Interface, a set of protocols that allows different programs to communicate with each other. In the case of smart EV chargers, APIs enable mobile apps to communicate with the charger via a Cloud-based platform. When the users uses the app, the application connects to the internet and shares data with a server. The server then interprets the data, takes action and sends a response to the server. All this happens automatically. APIs work quietly in the background, making the interactivity users expect and rely upon possible. However, they also add another layer of vulnerability thanks to hackers targeting APIs. They provide windows into applications that present a growing cybersecurity risk.
Popular Home EV Chargers Vulnerable
Security researchers tested six popular home EV chargers: Project EV, Wallbox, EVBox, EO Charging’s EO Hub and EO Mini Pro 2, Rolec and Hypervolt. All six presented vulnerabilities. Most had to do with the API. But the security researchers also detected some hardware issues. “We found vulnerabilities that allowed account hijack of millions of smart EV chargers. Several EV charger platforms had API authorization issues, allowing account takeover and remote control of all chargers”, posted the researchers on the company’s security blog. “One platform had no authorization at all. The same charger had no firmware signing, allowed new f/w to be pushed remotely and the charger used as a pivot on to the home network.” Some EV chargers used a Raspberry Pi compute module, a low-cost computer that hobbyist often use. This could allow cybercriminals to easily extract data, including Wi-Fi credentials. Admittedly, the risk is low. But it exist, nonetheless.
Public Charging a Risk
In theory, public EV chargers offer cybercriminals and tech savvy criminals a range of opportunities to take advantage of their connectivity. Perpetrators may attempt to impersonate someone else and charge their vehicle “for free”, while using the profile – and credit card details – of their victim. They can also try to gain access to the platform, compromise data, tamper with communication messages, and severely disrupt the services’ network. Look, for example, what happened recently with the smart rail ticket machines of Northern Trains. “One public charging platform exposed an unauthenticated GraphQL endpoint that we believe also exposed all user and charger data”, warned PenTestPartners’ researcher. “As one could potentially switch all chargers on and off synchronously, there is potential to cause stability problems for the power grid, owing to the large swings in power demand as reserve capacity struggles to maintain grid frequency.”
Install Updates
The security researchers shared their findings with the vendors involved. To their credit, they fixed most of the vulnerabilities almost immediately. To be safe, owners are advised to update their apps and EV chargers. As with all IoT devices, it’s also a must to change the default password and adjust the privacy settings. Same goes for internet connected baby monitors, smart speakers, security cameras and doorbells. Another tip is to isolate the IoT network from the network used by personal devices, such as computers and tablets. Several countries are drafting legislation to make smart consumer devices safer, obliging manufacturers to build-in reasonable security features. Interestingly, in some states like California, default passwords have been banned in new connected devices for years.