Endpoint Security , Governance & Risk Management , Internet of Things Security

Electric Vehicle Charging Stations at Risk From Hack Attacks

Many Charging Cable Interfaces Have Exposed SSH and HTTP Ports, Researchers Warn
Electric Vehicle Charging Stations at Risk From Hack Attacks
Image: Shutterstock

As demand for electric vehicles rises, the number of EV charging stations in cities and along highways is projected to climb. Along with convenience, these digital roadside pitstops are posing new cybersecurity risks.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

Researchers have found that multiple brands of EV charging stations have exploitable vulnerabilities due to manufacturers often leaving open and unsecured SSH and HTTP ports. The risks range from an expanded attack surface to a launching pad for assaults on the power grid.

Researchers Wilco van Beijnum and Sebastiaan Laro Tol warned about charging station vulnerabilities at the annual Hardwear.io conference on Thursday in Amsterdam. The researchers work for ElaadNL, an initiative of Dutch power grid operators that work with manufacturers from all over the world to test the latest techniques for charging electric cars, trucks and buses, at its test lab in Arnhem.

A basic security challenge is that when an electric vehicle plugs into a charging station, the car and the charging station communicate with each other. "When connecting your EV to a DC fast charging station, the car will communicate with the charging station using a network connection. This connection is made over the powerline of the charging cable using the HomePlug protocol," researchers said. "Typically, the modem responsible for this communication is accessible in Linux as a regular network interface. Because of this, misconfiguration of services on the charging station controller might cause these services to be exposed on the charging cable."

All fast - or DC - EV charging stations and some AC charging stations use power-line communication, or PLC, to constantly communicate with a charging cable throughout the recharging or discharging process, sharing payment, configuration and power management details.

While many manufacturers appear to focus on power quality and compatibility, the researchers' presentation - titled "Hacking EV charging stations via the charging cable" - revealed that in too many cases, safeguarding charging stations from malicious communications appeared to be an afterthought, if ever considered at all.

Van Beijnum and Tol tested devices from 13 manufacturers, comprising 18 DC charging stations and one AC charging station, and unearthed flaws in half of the products. Of the chargers, eight left SSH exposed, two exposed HTTP and one exposed the machine-to-machine network protocol MQTT, while others exposed various proprietary services.

Blame the lack of security built into some charging cables on "a general lack of awareness in cybersecurity" among manufacturers, van Beijnum said. Based on the researchers' reporting of vulnerabilities to manufacturers, they've found that some are "cyber-aware and have this cyber knowledge," but others - especially startups, or companies that evolved from startups - seem to lack such knowledge.

"It's really difficult," he said. "If you don't do anything, then you're vulnerable by default."

For example, exposed HTTP servers could be abused to gain access to charging stations' configuration, aided by the devices using a weak enough password that it could be brute-forced, the researchers said. In addition, vulnerabilities in the devices' backup and restore functionality could be used to remotely exploit code.

Such vulnerabilities could be exploited to attack network services from the charging cable, potentially enabling an attacker with access to the charging station to pivot into the internal network, crash the power system and potentially cause more widespread outages by compromising the power grid stability or triggering blackouts, they said.

Another potential vulnerability comes in the form of malicious or infected cars that could be used to hack any charging station to which they are connected.

'Simple' Security Fixes Available

The big-picture problem, the researchers said, is that "exposure of excess services on the charging cable is a common occurrence," even though they could have been mitigated by simple security defenses.

"A simple solution for this would simply be to configure a firewall in the charging station so that both these ports are not accessible in the first place," van Beijnum said, referring to SSH and HTTP. Better access controls would also help, with many charging stations currently having the equivalent of "admin" set as both their default username and password.

The researchers demonstrated their findings by bringing on-stage their testing set-up, comprised of two Pelican cases: one contained a charging station simulator, running proprietary software. The other, connected via a charging cable, contained a Raspberry Pi with developed hardware attached on top, aka a HAT, designed to run their custom testing software that's able to set up an active connection with a charging station. This software is compromised of two self-developed Python scripts, as well as SwitchEV's Joint Operating System for EV chargers, or Josev, which is an open-source stack that they use to simulate communication with a charging station.*

Attendees at the Hardwear.io conference, which focuses on hardware security, peppered the researchers with questions, including whether malicious or subverted charging cables could be used to compromise electric vehicles.

Testing that will take more time and energy, since EVs will only establish communications with a charging cable if it's bringing DC power, the researchers said. Hence testing the security of communications between a charging cable and an electric vehicle will require having a DC power generator, which adds cost and complexity.

What might drive charging station makers to improve the cybersecurity of their devices? The researchers said their firm advises a number of government authorities that issue public tenders, meaning end users could stipulate minimum security requirements as part of their procurement process. The organization also advises legislators, helping to raise awareness.

Multiple EU requirements, including the Network and Information Systems Directive, or NIS2, as well as the Radio Equipment Directive and Cyber Resilience Act, also have components that would appear to touch on relevant security aspects, such as prohibiting default passwords on devices.

One audience member asked how researchers could get their hands on charging stations to test them for vulnerabilities, "because as I see it, these are basically 'unobtainium?'"

"We're hoping to spread awareness with this presentation as well that this attack vector is possible, so more independent companies can start investigating this," van Beijnum said.

*Update Oct. 25, 2024 08:02 UTC: This story has been updated to clarify the details of the researchers' demonstration.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.