Plugging an electric car into a charger creates a data link that can be abused for many attacks, a researcher warns. Hackers can attempt to steal money, data, or electricity, gain unauthorized control, or even shut down entire systems.
Both the electric vehicle’s charger port and the charger are network interfaces communicating with each other. And it seems there might be security oversights.
Hackers can carry out man-in-the-middle attacks to disrupt charging sessions, steal electricity, or even gain unauthorized control over the charging equipment.
Security researcher Brandon Perry released a paper detailing new attack vectors and flaws hackers might exploit to target EV owners and the charging infrastructure.
“Digital communication between the charger and the electric car happens via powerline communication. If you've ever used the wall plugs that turn your house's copper wiring into ethernet, it's the same thing,” the researcher explains in the paper.
“Both legs of the charging infrastructure offer unique attack surfaces.”
The researcher set up a Linux-based charger to analyze the link and capture packets between a Tesla vehicle and the modified charger.
Once connected, both devices begin protocol negotiation and autoconfigure IPv6 addresses.
Data can be stolen
The charger and EV exchange standardized data, including the unique identifiers EVCCID (Electric Vehicle Communication Controller ID and EVSEID (Electric Vehicle Supply Equipment ID), state of charge, and other information about the car/charger.
The attacker in the middle can easily intercept this data. The researcher notes that encrypting this communication with TLS is not required, and even when it is, the certificates used for car-to-charger communication are often self-signed and not rooted in any common certificate authority.
And charging networks often use unique EVCCIDs to identify vehicles for automatic billing.
“This value is the MAC address of the interface being used for communication by the vehicle,” the paper explains.
“If you were able to spoof your MAC address on the vehicle, you'd be able to abuse Plug & Charge.”
This means that an attacker could potentially steal electricity by authorizing charging sessions as someone else.
The researcher automatically generated malformed payloads to find crash-causing bugs in the car-to-charger communication.
Hackers can compromise chargers and their networks
Hackers can attempt to brute-force a charger’s SSH (secure shell) credentials over the charger cable. The researcher argues that developers often leave chargers listening on a specific port on any IP address, and do not consider that the power cable might be an interface or another entry point to the network.
Captured packets unveiled that the specific charger had SSH listening on the charger port.
“A ‘vehicle’ could connect, initiate the network, and attempt to authenticate to SSH over the charger cable,” the paper shared on the oss-security mailing list reads.
“You can imagine the interesting implications here.“
Public chargers are often managed using a charging station management system (CSMS), which allows administrators to manage vehicle authentication, power usage, transactions, firmware updates, and more. Attackers could abuse it to potentially gain access to the entire network.
The research demonstrated that two of the CSMSes, called StEVe CSMS and CitrineOS, can be crashed completely, causing full denial of service. This presents malicious actors with opportunities to remotely shut down entire networks of chargers.
The network admins would have a hard time understanding what happened because, in the logs, they would see confusing local IP addresses connecting to the charger.
The security gaps can have other significant yet undocumented real-world consequences for drivers and public infrastructure administrators. Hackers running malicious code on charging stations can target power grid or charging components on EVs.
The researcher notes that most EV charger ports can be physically pressed or even pried open without setting off vehicle alarms. The hardware for charger port debugging is already widely available.
Your email address will not be published. Required fields are markedmarked