According to cybersecurity researcher, Vangelis Stykas, an attacker could take full control of the charger, obtain full access and erase the typical owner’s access on the charger of Wallbox. It might also be possible to prevent them from charging their own automobiles while charging an attacker’s vehicle for free. Also, since Project EV’s authentication was so basic, an attacker could quickly elevate to administrator and alter the firmware of all the chargers. Altering the device’s code would allow an attacker to disable the charger permanently or use it to target additional chargers or servers. Some EV chargers include a Raspberry Pi compute module, which may make all stored data, including passwords and the Wi-Fi pre-shared key (PSK), easily accessible. One of the EV charger platforms had no authorization at all and knowing a short, predictable device ID allowed full remote control of the charger. In situations where the chargers were connected through Wi-Fi, hackers may potentially penetrate a home network using the charger as a pivot.
Pen Test Partners thinks that some of the vulnerabilities it discovered might be exploited to manage several charges at the same time, allowing an attacker to overwhelm the electrical grid in some regions and create blackouts, owing to the large swings in power demand as reserve capacity struggles to maintain grid frequency. Several of the six different and popular brands (Project EV, Wallbox, EVBox, EO Hub, Rolec, and Hypervolt) charging devices they looked at had account hijack vulnerabilities in their APIs. All were eligible for UK government grant money and featured well-known European and American companies. Although the majority of the issues have been resolved, charge point users are urged to upgrade their devices with the most recent software updates.
Written by Nishat Mowla
