Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday.
While electric cars and EV charging systems are still in their infancy, they could become a more common way to travel within the next 10 years. If that happens, it is important that the charging systems popping up in cities around the world are secure in order to prevent attackers from accessing and tempering with them, said Ofer Shezaf, product manager security solutions at HP ArcSight. At the moment, they are not secure at all, he said.
"Essentially a charging station is a computer on the street," Shezaf said. "And it is not just a computer on the street but it is also a network on the street."
Users want their cars to charge as quickly as possible but not all electric cars can be charged at once because the providers of charging stations have to take the local and regional circuit capacity in mind, said Shezaf. "Therefore we need smart charging," he said.
But installing smart charging systems means that the charging stations on the street need to be connected, so the amount of energy is distributed in such a way that electricity grids are not overloaded, he said. But when charging stations are connected, multiple charging stations can be abused if an hacker can access them, Shezaf said.
The easiest way is to physically access the charging stations. "There are systems on the street and it is very easy to access the computer," Shezaf said. "When you get to the equipment, reverse engineering it is actually a lot easier than you think."
Hackers could take apart the systems to determine components and analyze and debug the firmware, he said. By doing this they can potentially spot convenient eavesdropping points and get encryption keys, Shezaf said, who added that he based his research on public sources, and in most cases on documentation from vendors' websites.
Charging stations can be configured by opening them, placing a manual electric DIP switch to configuration mode, connecting an Ethernet cross cable and firing up a browser to get access to the configuration environment, he said. In at least one type of charging station this kind of access doesn't require any authentication, Shezaf found. "You go and open the box with a key and that is the last security measure you meet," he said.
Some charging stations are also connected using RS-485 short-range communications networks used for inexpensive local networking, Shezaf said. Those connections have a very low bandwidth and high latency, are commonly used and have no inherent security, he added.
And while it all depends on the application, bandwidth and latency limits of the RS-485 networks makes eavesdropping and man-in-the-middle attacks simple, according to Shezaf, who described several other potential vulnerabilities during his presentation.
Using these methods, hackers could start influencing charge planning or influence and stop charges, he said. If no electric car can charge for a day when 30 percent of all cars in a country are electric, this could become problematic, he said. "If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really really big problem," Shezaf said.
"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he said.
While risks may be small today, it is time to start securing charging systems, Shezaf said. There should be more standardization in the charging sector, preferably using open standards, he said. But basically "we just have to pay more attention and spend more money," he said, adding that at the moment too little of both is happening.
"We shouldn't be relaxing now. The issues will become real when electric cars become real. If we don't start today it won't be secure in 10 years," he said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to [email protected]