Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations.
The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.
EVs are ever-more available and popular – but a lack of freely available charging infrastructure continues to hamstring the market. To address this, home EV chargers have started to proliferate, which allows consumers to “refuel” their vehicle from their own garage.
Some of these offer remote control of the charging process, which is pretty convenient if you’re a consumer. However, it could become inconvenient very quickly: Kaspersky Lab security researchers looked into one of the stations, dubbed the ChargePoint Home offering, and found a raft of vulnerabilities that could give an attacker unfettered access to the device.
Insecure Mobile App Registration
To start with, the research team found that an attacker could stop a car’s charging process at any time, “restricting an EV owner’s ability to drive where they need to, and even cause financial losses,” according to Kaspersky Lab’s report, which came out on Thursday.
The point of attack is ChargePoint Home’s mobile application, which allows the end user to remotely control the charging process.
“All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device,” Kaspersky Lab researchers said.
For further investigation, the researchers connected the charging station to their Wi-Fi network – and found that once a user was registered to an app, it was trivial to bypass the authentication mechanism in order to add a new, additional permanent user – unbeknownst to the legitimately registered owner.
“It had an open telnet port with password authentication,” the team explained. “To bypass authentication, we used JTAG to inject our code into the password verification procedure…and bypass authentication with an incorrect password.”
At this point, that secondary, secret user can use the mobile app to turn the charging station on and off.
Stack Overflow and More
The charging station also has a web server with enabled CGI on the device – which presents various flaws.
“We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device,” the researchers said.
They added that “two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters.” Multiple stack buffer overflows were found in the binary used to send different commands to the charger, and one was found in another binary used for downloading different system logs from the device. “All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network,” the report noted.
That means that someone could in theory adjust the maximum current that can be consumed during charging.
“As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating,” the researchers said.
Vulnerabilities in the Bluetooth stack were also found, but these are minor due to the limited use of Bluetooth during regular device operation.
Kaspersky Lab said that it reported the issues to ChargePoint, and the vulnerabilities have already been patched.
“The question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them,” the researchers noted. “The benefits they bring are often outweighed by the security risks.”
Image courtesy of ChargePoint