Hackers could start abusing electric car chargers to cripple the grid, researcher says

If we don't start securing systems today, it will become a problem in 10 years, the researcher said

Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday.

While electric cars and EV charging systems are still in their infancy, they could become a more common way to travel within the next 10 years. If that happens, it is important that the charging systems popping up in cities around the world are secure in order to prevent attackers from accessing and tempering with them, said Ofer Shezaf, product manager security solutions at HP ArcSight. At the moment, they are not secure at all, he said.

"Essentially a charging station is a computer on the street," Shezaf said. "And it is not just a computer on the street but it is also a network on the street."

Users want their cars to charge as quickly as possible but not all electric cars can be charged at once because the providers of charging stations have to take the local and regional circuit capacity in mind, said Shezaf. "Therefore we need smart charging," he said.

But installing smart charging systems means that the charging stations on the street need to be connected, so the amount of energy is distributed in such a way that electricity grids are not overloaded, he said. But when charging stations are connected, multiple charging stations can be abused if an hacker can access them, Shezaf said.

The easiest way is to physically access the charging stations. "There are systems on the street and it is very easy to access the computer," Shezaf said. "When you get to the equipment, reverse engineering it is actually a lot easier than you think."

Hackers could take apart the systems to determine components and analyze and debug the firmware, he said. By doing this they can potentially spot convenient eavesdropping points and get encryption keys, Shezaf said, who added that he based his research on public sources, and in most cases on documentation from vendors' websites.

Charging stations can be configured by opening them, placing a manual electric DIP switch to configuration mode, connecting an Ethernet cross cable and firing up a browser to get access to the configuration environment, he said. In at least one type of charging station this kind of access doesn't require any authentication, Shezaf found. "You go and open the box with a key and that is the last security measure you meet," he said.

Some charging stations are also connected using RS-485 short-range communications networks used for inexpensive local networking, Shezaf said. Those connections have a very low bandwidth and high latency, are commonly used and have no inherent security, he added.

And while it all depends on the application, bandwidth and latency limits of the RS-485 networks makes eavesdropping and man-in-the-middle attacks simple, according to Shezaf, who described several other potential vulnerabilities during his presentation.

Using these methods, hackers could start influencing charge planning or influence and stop charges, he said. If no electric car can charge for a day when 30 percent of all cars in a country are electric, this could become problematic, he said. "If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he said.

While risks may be small today, it is time to start securing charging systems, Shezaf said. There should be more standardization in the charging sector, preferably using open standards, he said. But basically "we just have to pay more attention and spend more money," he said, adding that at the moment too little of both is happening.

"We shouldn't be relaxing now. The issues will become real when electric cars become real. If we don't start today it won't be secure in 10 years," he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionsecurityAccess control and authenticationHITBdata breachdata protectionExploits / vulnerabilitiesprivacyDetection / prevention

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?