Security flaws found in popular EV chargers ' TechCrunch

Pen Test Partners, a U.K. cybersecurity firm, has discovered vulnerabilities in six home-based electric vehicle charging brands as well as a large public EV charging system. The majority of the issues were resolved by the charger manufacturers, but the findings show the unregulated world of Internet of Things devices that are set to become almost ubiquitous in homes and cars.Vulnerabilities were found in six EV charging brands Project EV. Wallbox, EVBox and EO Chargings EO hub and EO minipro 2, Rolec, Hypervolt, and the public charging network Chargepoint. Vangelis Stykas, security researcher, identified several security flaws in the API of six different brands that could have been used to allow a malicious hacker access user accounts, impede charging, and even open a backdoor into the owner's home network.A hack of a public charging station network can lead to theft of electricity and the turning off or on of chargers.Some EV chargers used a Raspberry Pi computing module, a low cost computer often used by hobbyists as well as programmers.TechCrunch was told by Ken Munro, Pen Test Partners founder, that while the Pi is great for hobbyists and educators, it's not suitable for commercial use because it doesn't have what's known as a secure bootsloader. Anyone with access to your home's exterior (hence your charger) can open the Pi and steal your Wi Fi credentials. Although the risk is minimal, I don't think charger vendors should expose us to any additional risk.Munro stated that the hacks are very simple. He said that he could teach you how to do it in just five minutes.This weekend's company report focused on potential vulnerabilities in emerging protocols such as the Open Charge Point Interface. It is maintained and managed by EVRoaming Foundation. This protocol is designed to allow charging between different charging networks and operators seamlessly.Munro compared it to roaming with a cell phone. This allows drivers to use networks other than their normal charging network. These vulnerabilities can be tampered with because OCPI isn't being widely used right now. Stykas said that a potential vulnerability in one platform could lead to a vulnerability on another platform if it is not addressed.Hacks to charging stations are a growing threat, as more vehicles become electrified and more electricity flows through the grid. Although electric grids are not intended for large swings of power consumption, this is exactly what could happen if there was a large hack that turned off enough DC fast chargers.Munro stated that it doesn't take much to cause the power grid overload. Inadvertently, we have created a cyberweapon others could use against ours.Cybersecurity: The Wild WestCybersecurity issues are not unique to EV chargers. Routine hacks expose more problems in IoT devices. In an environment where first to market is often preferred over security, regulators struggle to keep up with the speed of innovation.In fact, there is not much enforcement, Justin Brookman (Director of Consumer Privacy and Technology Policy at Consumer Reports) said to TechCrunch in an interview. The Federal Trade Commission is responsible for data security enforcement in the United States. Brookman said that although there is a general-purpose consumer law, it may be illegal to create a system with poor security. It just depends on whether you get enforced against.The Internet of Things Cybersecurity Improvement Act was a separate federal bill that was passed in September. However, it only applies broadly to the federal government.Only a little more is happening at the state level. California passed a bill in 2018 that banned default passwords for new consumer electronics beginning in 2020. This is a significant step forward, but it largely places the responsibility of data security in the consumers' hands. California, along with other states such as Virginia and Colorado, have also passed laws that require reasonable security measures for IoT devices.These laws are a good place to start. The FTC, for better or worse, is not like the U.S. Food and Drug Administration which inspects consumer products before they are released to the public. There is currently no security inspection on technology devices before they reach consumers. Munro stated that the Wild West is also present in the United Kingdom.There are a few startups that have started to address this problem. Thistle Technologies is one such startup. It aims to assist IoT device manufacturers to integrate security updates into their software. It is unlikely that this problem can be solved entirely by private industry.EV chargers may pose a unique threat for the electric grid. This means that EV chargers might be included in a critical infrastructure bill. Last week, President Joe Biden issued a memorandum requesting greater cybersecurity for critical infrastructure systems. Biden stated that the degrading, destruction, or malfunction of infrastructure systems could result in significant damage to the nation's economic and national security. It is not clear if this will affect consumer products.