[ad_1]
UK cybersecurity firm Pen Test Partners has identified several vulnerabilities in the APIs of six home electric vehicle charging brands and a large public electric vehicle charging network. While charger makers have solved most of the problems, the findings are the latest example of the poorly regulated world of IoT devices, which are poised to become ubiquitous in our homes and vehicles.
Vulnerabilities have been identified in the API of six different EV charging brands – Project EV, Wallbox, EVBox, EO Hub and EO mini pro 2 from EO Charging, Rolec and Hypervolt – and in the Chargepoint public charging network. Security researcher Vangelis Stykas identified several security flaws among different brands that could have allowed a malicious hacker to hijack user accounts, hamper loading and even turn one of the chargers into a ” backdoor ”in the owner’s home network.
The consequences of hacking into a network of public charging stations could include theft of electricity to the detriment of driver accounts and the activation or deactivation of chargers.
A Raspberry Pi in a Wallbox charger. (Image: pen testing partners (Opens in a new window))
Some electric vehicle chargers used a Raspberry Pi compute module, a cheap computer often used by hobbyists and programmers.
“The Pi is a great computing platform for hobbyists and education alike, but in our opinion it is not suitable for commercial applications because it does not have what is called a ‘secure boot loader’,” Pen Test Partners founder Ken Munro told TechCrunch. “This means that anyone with physical access to the outside of your house (hence your charger) could open it and steal your Wi-Fi credentials. Yes, the risk is low, but I don’t think so. that charger sellers should put us at additional risk.
The hacks are “really pretty straightforward,” Munro said. “I can teach you how to do this in five minutes,” he added.
The company’s report, released last weekend, addressed vulnerabilities associated with emerging protocols such as the Open Charge Point Interface, maintained and managed by the EVRoaming Foundation. The protocol was designed to make billing transparent between different networks and billing operators.
Munro likened it to roaming on a cell phone, allowing drivers to use networks outside of their usual charging network. OCPI is not widely used at the moment, so these vulnerabilities could be designed from the protocol. But if left unchecked, it could mean “that a vulnerability on one platform potentially creates a vulnerability on another,” Stykas explained.
Hacking of charging stations has become a particularly nefarious threat, as more transportation is electrified and more electricity flows through the power grid. Power grids aren’t designed for large swings in power consumption – but that’s exactly what could happen, if there was a big hack that turned on or off a sufficient number of fast DC chargers.
“It doesn’t take much to trigger an electrical grid overload,” Munro said. “We inadvertently made a cyber weapon that others could use against us.”
The “Wild West” of cybersecurity
While the effects on the power grid are unique to electric vehicle chargers, cybersecurity issues are not. Routine hacks reveal more endemic problems in IoT devices, where being first to market often trumps solid security – and where regulators are barely able to catch up with the pace of innovation.
“There really isn’t a whole lot of application,” Justin Brookman, director of privacy policy and consumer technology for Consumer Reports, told TechCrunch in a recent interview. The enforcement of data security in the United States falls under the jurisdiction of the Federal Trade Commission. But while there is a general consumer protection law, “it may very well be illegal to build a system that has poor security, it’s just a matter of whether you’re going to be enforced or not,” said Brookman.
A separate federal bill, the Internet of Things Cyber Security Enhancement Act, was passed last September, but only applies broadly to the federal government.
There is only slightly more movement at the state level. In 2018, California passed a bill banning default passwords in new consumer electronics devices from 2020 – a useful step forward, to be sure, but one that places the burden of data security largely in the hands of consumers. consumers. California, along with states like Colorado and Virginia, have also passed laws requiring reasonable security measures for IoT devices.
Such laws are a good start. But (for better or worse) the FTC is not like the United States Food and Drug Administration, which audits consumer products before they hit the market. Currently, there are no security checks on technological devices before they reach consumers. In the UK, “it’s also the Wild West here, right now,” Munro said.
Some startups have emerged that are trying to tackle this problem. One is Thistle Technologies, which tries to help IoT device manufacturers build mechanisms into their software to receive security updates. But it is unlikely that this problem will be entirely solved by private industry alone.
Since EV chargers could pose a unique threat to the power grid, it is possible that EV chargers fall under a critical infrastructure bill. Last week, President Joe Biden issued a memorandum calling for greater cybersecurity for systems related to critical infrastructure. “The degradation, destruction or malfunction of the systems that control this infrastructure could significantly harm the national and economic security of the United States,” Biden said. Whether this will affect consumer products is another question.
Source link
