Here we are going to discuss some security concerns of the charging stations that are, gradually, not any more strangers to many of us. An electric charger is unlikely to injure you physically; however, your personal data (and of course those related to billing) may risk landing in the wrong hands. Let’s start with a presentation at the EVS31 in Japan.
The Electric Vehicle Symposium EVS31 was held in Kobe, Japan this year. With participants from more than 30 countries, the conference proceeded under the slogan “Leading a smart society with new mobility”. The spectrum of the conference was wide, from applied research results presentations to the showcase of new electric powertrain technologies and new products, and one presentation about security was spotted among the sessions.
P3 presented their prove-of-concept hack of a charge station in the conference paper “Future Critical Infrastructure and Security” (the study was presented by Christian Esser). They performed attacks on EV charging stations, where users’ billing information is stored among others. Charging stations are usually located in public areas with little or no supervision and the infrastructure is not designed to cope with cyber attacks. P3’s analyzed three attack surfaces: the charging stations themselves, back-end web interface, and the communication between the charging station and back-end. Weaknesses of the system identified are, for example, the use of a weak exchange algorithm and the ability to perform brute force attacks through SSH entry. For the web services, there is no encrypted channel and user credentials were processed by Javascript. Besides, several web pages were found vulnerable to SQL injection. The use of the outdated software is the reason for the major security risks as the vulnerabilities of the system are already well-known. The study suggested that IT security principles should be taken into consideration in the design phase during the development of charging stations.
Hacking on charging infrastructure is, however, not new but people are seldom aware of it. Already in 2013, a security researcher Ofer Shezaf already warned the world by lifting the concerns of hacking on charging infrastructure at a security conference and stated: “This issue will become real when electric cars become real. If we don’t start today it won’t be secure in 10 years.” [1]
Mathias Dalheimer raised the issues with the vulnerabilities of charging infrastructure for electric cars at the thirty-fourth Chaos Communication Congress last year. Many security problems appear in various components in the use process of the charging infrastructure, from the easy-to-reprogram ID token for user identification, the old HTTP-based OCCP protocol, and to the problematic USB ports. As Kaspersky reported, “criminals can collect ID card numbers, imitate them and use them for transactions (for which the real account holders will have to pay); rewire charging requests, basically disabling charging points; gain root access to the station and then do whatever they like.” [2]
The issues with charging security should definitely be taken seriously. Charging stations are not just a copy of gas stations. Already today, it is important to make sure that your personal information is not secretely drifting out while electricity flows in your EV.
Written by Anne Faxér, RISE Viktoria.
References:
- 2013-04-12. Are Charging Stations Vulnerable to Hackers? Security Expert Says Yes.
- 2018-01-09. Don’t be sure charging your electric car is secure enough.