LONDON—Several vulnerabilities in six home electric vehicle charging brands and a large public EV charging network have been identified by Pen Test Partners, a U.K. cybersecurity company. According to TechCrunch.com, the charger manufacturers have resolved most of the issues, but the findings are the latest example of the loosely regulated world ofiInternet of Things devices.
Hacks to charging stations have become a threat as a greater share of transportation becomes electrified. Electric grids are not designed for large swings in power consumption, but that could happen should there be a large hack that turns on or off a sufficient number of DC fast-chargers.
The cybersecurity company identified five different EV charging brands as having vulnerabilities: EO Charging’s EO Hub and EO mini pro 2, Wallbox, Project EV, EVBox and Hypervolt. Pen Test Partners also identified vulnerabilities in the public charging network ChargePoint. The company examined Rolec but said it didn’t find vulnerabilities.
The firm said several of the identified security flaws among the various brands could have allowed a malicious hacker to get into user accounts, impede charging and even turn one of the chargers into a “backdoor” into the owner’s home network. The consequences of a hack to a public charging station network could include theft of electricity at the expense of driver accounts and turning chargers on or off.
Some EV chargers, like Wallbox and Hypervolt, rely on a Raspberry Pi compute module, an inexpensive computer. “The Pi is a great hobbyist and educational computing platform, but in our opinion it’s not suitable for commercial applications as it doesn’t have what’s known as a ‘secure bootloader,’” said Ken Munro, founder, Pen Test Partners. “This means anyone with physical access to the outside of your home (and your charger) could open it up and steal your Wi-Fi credentials. Yes, the risk is low, but I don’t think charger vendors should be exposing us to additional risk.”
The company touched on vulnerabilities associated with emerging protocols like the Open Charge Point Interface, maintained and managed by the EVRoaming Foundation. The protocols are designed to make charging seamless between different charging networks and operators. Munro compared it to roaming on a cellphone, which allows drivers to use networks outside of their usual charging network. OCPI isn’t widely used currently, but if left unaddressed, it could mean “that a vulnerability in one platform potentially creates a vulnerability in another,” Stykas said.
Both startups and government entities are trying to tackle this issue. Thistle Technologies is trying to help IoT device manufacturers integrate mechanisms into their software to receive security updates, but it’s unlikely this problem can be fully solved by private industry alone. Last week, President Joe Biden released a memorandum calling for greater cybersecurity for systems related to critical infrastructure.
“The degradation, destruction or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States,” Biden said. Until addressed, it is unknown if it’s a risk that will trickle down to consumer products.
A new report from the Fuels Institute Electric Vehicle Council, “EV Consumer Behavior,” provides invaluable insight to help guide those entering and involved in the EV market. The report includes information about the habits and practices of current EV owners and how those might change over time.