Flaws in Electric Vehicle (EV) charging station can let hackers to perform a series of nefarious activities, even set home on fire. Although the dangers are limited, it is found if the vulnerabilities are successfully exploited by attackers can result in dire consequences.
Researchers from Kaspersky Labs demonstrated that chargers supplied by a majority of electric vehicles vendor carry vulnerabilities that could allow an attacker to hack into a charging station remotely and prevent a car from charging.
The researchers aimed ‘ChargePoint’ mobile application to understand the attack process. The app allowed the end users to remotely control the charging process, just by syncing the smartphone with the EV via Bluetooth.
“All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device,” said the Kaspersky Lab researchers.
Further investigation, highlighted that it was possible to bypass the authentication process once the users were registered to the app and were connected the Wi-Fi.
“It had an open telnet port with password authentication. To bypass authentication, we used JTAG to inject our code into the password verification procedure...and bypass authentication with an incorrect password,” the researchers explained.
The vulnerabilities in the charger could also be used to adjust the maximum current - that can be consumed during charging. This can ultimately, set the house on fire due to the overheating of wires.
“As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating,”
Vulnerabilities in the Bluetooth stack was also discovered, but these had minor impacts.
Kaspersky has reported the problems to ChargePoint, following which the firm issued the security patches immediately.
“The question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them. The benefits they bring are often outweighed by the security risks,” the researchers noted.
Publisher