Hackers could start abusing electric car chargers to cripple the grid, researcher says

If we don't start securing systems today, it will become a problem in 10 years, the researcher said

Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday.

While electric cars and EV charging systems are still in their infancy, they could become a more common way to travel within the next 10 years. If that happens, it is important that the charging systems popping up in cities around the world are secure in order to prevent attackers from accessing and tempering with them, said Ofer Shezaf, product manager security solutions at HP ArcSight. At the moment, they are not secure at all, he said.

"Essentially a charging station is a computer on the street," Shezaf said. "And it is not just a computer on the street but it is also a network on the street."

Users want their cars to charge as quickly as possible but not all electric cars can be charged at once because the providers of charging stations have to take the local and regional circuit capacity in mind, said Shezaf. "Therefore we need smart charging," he said.

But installing smart charging systems means that the charging stations on the street need to be connected, so the amount of energy is distributed in such a way that electricity grids are not overloaded, he said. But when charging stations are connected, multiple charging stations can be abused if an hacker can access them, Shezaf said.

The easiest way is to physically access the charging stations. "There are systems on the street and it is very easy to access the computer," Shezaf said. "When you get to the equipment, reverse engineering it is actually a lot easier than you think."

Hackers could take apart the systems to determine components and analyze and debug the firmware, he said. By doing this they can potentially spot convenient eavesdropping points and get encryption keys, Shezaf said, who added that he based his research on public sources, and in most cases on documentation from vendors' websites.

Charging stations can be configured by opening them, placing a manual electric DIP switch to configuration mode, connecting an Ethernet cross cable and firing up a browser to get access to the configuration environment, he said. In at least one type of charging station this kind of access doesn't require any authentication, Shezaf found. "You go and open the box with a key and that is the last security measure you meet," he said.

Some charging stations are also connected using RS-485 short-range communications networks used for inexpensive local networking, Shezaf said. Those connections have a very low bandwidth and high latency, are commonly used and have no inherent security, he added.

And while it all depends on the application, bandwidth and latency limits of the RS-485 networks makes eavesdropping and man-in-the-middle attacks simple, according to Shezaf, who described several other potential vulnerabilities during his presentation.

Using these methods, hackers could start influencing charge planning or influence and stop charges, he said. If no electric car can charge for a day when 30 percent of all cars in a country are electric, this could become problematic, he said. "If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he said.

While risks may be small today, it is time to start securing charging systems, Shezaf said. There should be more standardization in the charging sector, preferably using open standards, he said. But basically "we just have to pay more attention and spend more money," he said, adding that at the moment too little of both is happening.

"We shouldn't be relaxing now. The issues will become real when electric cars become real. If we don't start today it won't be secure in 10 years," he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags intrusionsecuritydata breachHITBAccess control and authenticationExploits / vulnerabilitiesdata protectionprivacyDetection / prevention

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?