Shocker: EV charging infrastructure is seriously insecure
What did we learn from the IoT days? Apparently nothing.
If you've noticed car charging stations showing up in your area, congratulations! You're part of a growing network of systems so poorly secured they could one day be used to destabilize entire electrical grids, and which contain enough security issues to be problematic today.
That's what scientists at Sandia National Laboratory in Albuquerque, New Mexico have concluded after four years of looking at demonstrated exploits and publicly-disclosed vulnerabilities in electric vehicle supply equipment (EVSE), as well as doing their own tests on 10 types of EV chargers with colleagues from Idaho National Lab.
"Can the grid be affected by electric vehicle charging equipment? Absolutely," said Sandia's Brian Wright, a cybersecurity expert who worked on the project. "It is within the realm of what bad guys could and would do in the next 10 to 15 years. That's why we need to get ahead of the curve in solving these issues," Wright said.
Hey, I recognize that vulnerability!
In the meantime, however, there are plenty of attacks that criminals could be using right now, and researchers already are. Sadly it's a grab-bag of the same old problems we've been seeing for years in other tech sectors.
"There have been multiple demonstrations of stealing credentials or influencing charging sessions via the EV-to-EVSE connection," the researchers said in their paper. In one case, researchers managed to sniff out and interrupt charging using a software defined radio with less than 1W of power from 47 meters away "on all seven vehicles and 18 EVSEs that they investigated."
RFID cloning is currently possible in early generation EVSE infrastructure, which can lead to thieves getting charged up using someone else's debit or credit card. Some iOS and Android apps used to manage charging sessions "could also easily be reverse-engineered to reveal weaknesses in the EVSE management and vendor cloud interfaces," the researchers said.
EVSE internet interfaces have problems that are easy to guess: They often use insecure web services that can be accessed from a local smartphone or computer, while chargers from several manufacturers can be found on the public internet. Vulnerabilities in web services used by chargers could allow an attacker to change configuration data or push malicious firmware updates, the report found.
- Tencent research team scores free powerups for electric cars with Raspberry Pi-powered X-in-the-middle attack
- Secure boot for UK electric car chargers isn't mandatory until 2023
- GM: Seeing as all y'all like our electric cars, we'll double output next year
- Toyota dev left key to customer info on public GitHub page for five years
Communications between chargers and cloud services also contained a host of problems, like lacking appropriate authentication methods, not sanitizing input fields and even being open to supply chain attacks due to manufacturers' maintaining remote backdoor access.
As for hardware vulnerabilities, they included a host of outdated Linux kernels running superfluous services accessible via exposed USB ports that would let an attacker upload malicious firmware. Some chargers were even found to be operating off of Raspberry Pis without secure bootloaders.
Oh, and since we're going for the full run of security fails, of course the team found numerous hard-coded credentials, passwords hashed without a salt, and other cryptographic no-nos.
This is not great
What have we learned? That the EV charging industry seems to have treated cybersecurity the same way as the companies behind the Internet of Things: As an afterthought.
Jay Johnson, the Sandia electrical engineer behind the project, said that he hopes his team's findings will serve as a baseline in understanding the current state of the industry, which is vital to getting it fixed.
"By conducting this survey of electric vehicle charger vulnerabilities, we can prioritize recommendations to policymakers and notify them of what security improvements are needed by the industry," he explained.
"The government can say 'produce secure electric vehicle chargers,' but budget-oriented companies don't always choose the most cybersecure implementations. Instead, the government can directly support the industry by providing fixes, advisories, standards and best practices," Wright added.
No surprise here, but Sandia is recommending some basic cyber hygiene, like removing unneeded services, keeping software up to date, locking physical ports, and using proper encryption.
The team also suggested implementing better methods of EV owner authentication, like plug-and-charge public key infrastructure, as well as network intrusion detection systems, code-signed firmware updates and other habits it covers in its charging industry best-practices [PDF] suggstions.
Johnson's team isn't done yet, and has received follow-on funding to address some of the gaps it found alongside Idaho and Pacific Northwest National laboratories. Together, the three are working to develop a system for EV chargers that uses new methods to protect public infrastructure from ne'er-do-wells.
But until the government steps in with some regulations, Johnson said things won't improve.
Many EVSE manufacturers, Johnson told The Register, "are desperately trying to keep up with demand." While regulations have been discussed, Johnson said it's unlikely they'll appear for at least a year. Note that this applies in the US; the UK has already proposed regulations on EV chargers that will take effect next year.
While some vendors have improved their security, Johnson said those companies have found themselves at a market disadvantage against those in favor of rushing products to market. "Until there's regulation to level that playing field, market trends favor insecure systems," Johnson said. ®