A U.K based cybersecurity firm Pen Test Partners has unveiled security flaws in the Application Programming Interface (APIs) of EV chargers of multiple brands.
Over the last 18 months, Pen Test Partners were investigating the security of smart electric vehicle chargers.
Pen Test Partners have tested six different home electric vehicle charger providers and one full-scale public charging station. The six EV charging companies listed are Project EV, Wallbox, EVBox, Rolec, Hypervolt, EO Charging’s EO Hub, and EO mini pro 2. Meanwhile, the public charging station tested was Chargpoint.
The research findings say that some of the brands were highly insecure whereas some had minimal risks. According to PTP, Project EV was the most insecure, and Rolec and Hypervolt turn out to be the most secure of them all.
Hypervolt told us that PTP did penetration test but couldn’t penetrate their system. However, Hypervolt also confirmed that “if someone physically attacked the charger they would be able to impede charging by wholesale replacing the board.”
According to Security researcher Vangelis Stykas, these security flaws can easily allow hackers to hack users’ accounts and expose many other risks. The hackers can impede charging, on and off the charger, steal your Wi-Fi credentials, and even steal electricity from public charging stations.
What Could Lead To Security Flaws In EV Chargers?
The major reason behind this weak security of IoT devices is the Raspberry Pi computing module. It’s a low-cost computer often used by programmers, and these companies have used it to reduce the cost. The founder of Pen Test Partners, Ken Munro, told Tech Crunch, “The Pi is a great hobbyist and educational computing platform, but in our opinion, it’s not suitable for commercial applications as it doesn’t have what’s known as a ‘secure bootloader.”
In addition, he said, this means anyone with physical access to your charger can easily steal your Wi-Fi credentials. Munro also told the hack is fairly simple and that he can teach in just five minutes.
However, PTP also states in its report that, “The Raspberry Pi hardware issues remain, however the risk of compromise seems low, given the need for physical access to the charger.”
With the application of Raspberry Pi, the risk isn’t very high, but still, Munro said companies should not expose us to additional risk. However, the hacks in the Charging station are a serious matter of concern. We know the future is electric and electric vehicles are increasing every day.
That means more power flow through electric grids. If there’s a large hack in the DC fast-charging stations, then it could cause more harm. Munro says we’ve inadvertently made Cyberweapon that others could use against us. Since the matter has been brought up in light, companies would rectify these flaws and make the system more secure.
Source: TechCrunch and Pen Test Partners.
