Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations.
The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.
EVs are ever-more available and popular – but a lack of freely available charging infrastructure continues to hamstring the market. To address this, home EV chargers have started to proliferate, which allows consumers to “refuel” their vehicle from their own garage.
Some of these offer remote control of the charging process, which is pretty convenient if you’re a consumer. However, it could become inconvenient very quickly: Kaspersky Lab security researchers looked into one of the stations, dubbed the ChargePoint Home offering, and found a raft of vulnerabilities that could give an attacker unfettered access to the device.
Mobile App Functions
To start with, the research team found that an attacker could stop a car’s charging process at any time, “restricting an EV owner’s ability to drive where they need to, and even cause financial losses,” according to Kaspersky Lab’s report, which came out on Thursday.
ChargePoint Home’s mobile application allows the end user to remotely control the charging process.
To register a new account in the application, a user would connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device.
For further investigation, the researchers connected the charging station to their Wi-Fi network – and found that once a user was registered to an app, it was trivial to bypass the authentication mechanism in order to add a new, additional permanent user – unbeknownst to the legitimately registered owner.
“All an attacker needs to do to conduct an attack is obtain Wi-Fi access to the network the charger is connected to,” said Dmitry Sklyar, security expert at Kaspersky Lab, speaking to Threatpost. “Since the devices are made for domestic use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by bruteforcing all possible password options, which is quite common: according to Kaspersky Lab statistics, 94 percent of attacks on IoT in 2018 came from Telnet and SSH password bruteforcing, and all the latest reports show the rising number of attacks on home routers. Once inside the wireless network, the intruders can easily find the charger’s IP-address. This, in turn, will allow them to exploit any vulnerabilities.”
Stack Overflow and More
The charging station also has a web server with enabled CGI on the device – which presents various flaws.
“We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device,” the researchers said.
They added that “two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters.” Multiple stack buffer overflows were found in the binary used to send different commands to the charger, and one was found in another binary used for downloading different system logs from the device. “All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network,” the report noted.
That means that someone could in theory adjust the maximum current that can be consumed during charging.
“As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating,” the researchers said.
Vulnerabilities in the Bluetooth stack were also found, but these are minor due to the limited use of Bluetooth during regular device operation.
Kaspersky Lab said that it reported the issues to ChargePoint, and the vulnerabilities have already been patched.
“The question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them,” the researchers noted. “The benefits they bring are often outweighed by the security risks.”
This post was updated on Dec. 19 at 10:57 a.m. with comments from Kaspersky Lab.
Image courtesy of ChargePoint