2021 witnessed a surge in the sales of Electric Vehicles (EVs), with the global movement to expand the usage of EVs picking up pace. The sales of EVs are at an all-time high as buyers race to switch from gasoline-powered vehicles to EVs due to the rising fuel costs that are further increased by the current geo-political tension across the world.
As state governments devise favorable policies to support the shift to EVs, global brands compete against each other to install Electric Vehicle Charging Stations (EVCS) across the world. With the future looking bright for EVs, it’s no surprise that Threat Actors (TAs) are set to target the EV market and exploit any vulnerabilities they may find. As EVCS are connected to the internet, they pose a significant risk of cyberattacks and are extremely vulnerable to malicious assaults. EVCS can also be physically accessed, and as a result, malicious hackers can manipulate the Internet of Things (IOT) sensors and Raspberry Pi EVSE Hat.
The French energy and automation giant Schneider Electric recently released a security advisory discussing the various vulnerabilities existing in the EcoStruxure EV Charging Expert devices. This shows criticality in the EVCS sector which alerts other vendors in the same segment to investigate and remediate their product range.
One of the most recent attacks on an EVCS took place in Moscow, Russia. In this incident, malicious attackers were able to override the present security parameters of the EVCS and successfully manipulated the display, showing support to Ukraine, as shown in the figure below.
According to a Facebook post by the Russian energy company Rosseti, EVCS along Russia’s M11 motorway, which runs from Moscow to Saint Petersburg, stopped working because an Ukrainian company that supplied parts of the chargers hacked them using a backdoor in the chargers’ control systems.
The chargers were obtained through a Russian firm that outsourced production to a Ukrainian component’s supplier called AutoEnterprise, a Kharkiv-based EV charging company, according to the Facebook post. The Facebook page of AutoEnterprise re-posted a video depicting the incident and stating “Россети идите на #уй ! Слава Украине!” (Rosseti is go to #uy! Glory to Ukraine!”)
Despite significant attempts to secure EVCS and establish cyber hygiene mandates and protocols for charging EVs, our research suggests that EVCS are a huge target of TAs.
Researchers at Cyble discovered multiple open instances of EVCS connected to the internet without any authorization. In some instances, EVCS were also found using default passwords, as shown in figures 2 and 3.
Web interface portals of EVCS exposed on the internet pose significant threats to the Energy and Transportation sectors of countries globally. An attacker gaining unauthorized access to these portals can obtain sensitive information like network details, software details, and firmware details, etc, as shown in figures 4 and 5.
The above figure shows the charger settings of EVCS which has details about Human Machine Interface (HMI), International Mobile Equipment Identity (IEMI), and Open Charge Point Protocol (OCPP), etc. These settings could provide attacker with valuable Information.
During our research, we came across a few instances of vulnerabilities that might allow an attacker to change the parameters set by the operator of EVCS, as shown in figures 6 and 7. Manipulating these settings may disrupt the smooth operations of EV stations.
As seen in the figure above, if the charging drops down to 6A (minimum charging current) the charging will stop at the EV station, making it difficult for vehicle owners to get their EVs charged.
The Open Charge Point Protocol (OCPP) is the standard protocol between charging point and backend software. The OCPP parameters such as card-based authentication, remote control by charge point operator, remote configuration, and smart grid-based charging are predefined by the operator. An attacker gaining rights to manipulate these settings can successfully disrupt these services at charging points.
The web instances found also provide the firmware upload functionality, as shown as in figure 8. This can enable TAs to upload malicious firmware files that can lead to ransomware attacks on organizations that use EVCS.
Attacks on EVCS have real-world consequences. When hackers interrupt services at the stations, it can cause severe repercussions for automobile drivers, car manufacturers, and possibly the city’s power infrastructure. TAs that obtain control of multiple EVCS may be able to reverse electricity back to the grid, undermining the area’s electric stability.
Failure to apply the available fixes may result in unauthorized access to the web server of EVCS, which can result in the tampering of the preset settings in the EVCS. Such manipulation may result in denial-of-service (DoS) attacks, unauthorized use of controlled EVCS, service outages, inability to interact with the supervisory system, and the change and disclosure of the product’s configuration.
Researchers at Cyble believe that with the growing demand of Electric Vehicles globally, Malicious attackers are going to target the Electric Vehicle (EV) sector to create chaos among people of country and to disrupt day to day operations of a city.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- The periodic assessment of firewall and router configurations is important.
- Make a list of all the components within EVCS and check for vulnerabilities in them at a granular level.
- Public-facing web instances are a significant threat for the critical sectors, which often go unaddressed by security teams. Doing so puts the complete environment at a greater risk of cyberattacks. Checking assets exposure is crucial, especially in these sectors.
- Keep a strong password policy.
- Restrict the access to assets as per the clearance level of the employee.
- Cybersecurity awareness training is a must for employees and those working in the critical sectors.