From pv magazine USA
Smart chargers have become a useful resource for electric vehicle (EV) owners, allowing them to remotely monitor and manage the charge state, speed and timing of their car chargers, among other functions. Smart chargers can also be integrated into a home’s solar and storage system to provide even greater control and flexibility over one’s own energy use.
As with any emerging technology, there have been hiccups and issues in the early stages of rollout. However, with smart EV chargers, these shortcomings are more concerning than, say, a malfunctioning new video game console.
Pen Test Partners, a security consulting company, recently spent 18 months investigating the security of some of the market’s leading smart charger offerings, and found troubling results. Of the six smart chargers they tested, nearly all of them included some level of security risk, from accessible user data to the possibility of hijacking “millions” of smart chargers.
To better understand how these risks emerged, the scope of the issue at hand, and potential remedies for the risks, pv magazine spoke with Baksheesh Singh Ghuman, senior director of product and GTM strategy at Finite State, a cybersecurity company focused on Internet of Things (IoT) connected devices.
IoT refers to the network of physical objects embedded with sensors, software, and other technologies that are used for the purpose of connecting and exchanging data with other devices and systems over the internet, like smart chargers, smart thermostats and smartphones.
“It’s a connected device, so its functions are all software defined. The software controls a majority of the functions,” explained Ghuman. “[They can define] who the users are, who can charge and cannot charge, when they can charge, or how much they can charge.”
Ghuman said that while the devices are connected, they also allow remote access. Functionally, this allows owners to access the charger’s app from a distance, so they can look at state of charge on their vehicles. That means that the devices are also connected to a user’s home network. If one gets access to a smart charger, that means they can indirectly get access to a user’s home network.
The user is then compromised and potentially open to cyberattacks, as well as ransomware attacks, which shut down devices until a ransom is paid.
According to Ghuman, the associated vulnerabilities can be placed in three critical categories:
- Hardcore credentials, which provide privilege access and the ability to provide reserve privilege access.
- Remote code execution flaws, which allow for the remote injection of malicious code, opening users up to distributed denial-of-service (DDoS) attacks.
- SQL injection vulnerabilities, which allow interface access, giving control over the interfaces of chargers. With this, an individual can control who can use them and how much they can use.
The specific consequences of these vulnerabilities differ between public-use EV chargers and private chargers in a user’s home. For public chargers, the main concern is theft of electricity.
“If somebody’s got access to it, then they can then we can use the same account to charge multiple devices or vehicles,” said Ghuman.
Individuals could also remotely turn on and off as many chargers as they have access to, whenever they want, for however long they want, which could have an indirect impact on the power grid.
“It’s like a cyberattack, so to speak. There’s a whole range of things you can do you can ever have more access to that. You can actually control the device itself,” he said.
For homes, the risk is more on network control and user data extraction. Individuals could also send bad information to billing systems, charging users for more electricity than they consume, and gain access to all user data stored within a device and its associated software and apps.
“If you’ve got access to a device, you can actually control the device and, from that device, then, if it’s connected to the internet, you essentially have an impact on other devices within the home,” said Ghuman.
Despite the grim potential of cyberattacks, Ghuman said that the situation is by no means a lost cause, and that remedies would not require significant labor or overhaul – at least, not yet.
“There is already work underway, and these vulnerabilities only serve to highlight that there is a strong need for for security,” said Ghuman. “I think the device manufacturers are working very hard to make sure that the products are secure. But as you know, cybersecurity or security in general is so complex. Sometimes you don’t know from where a vulnerability or a threat factor is going to come from.”
He outlined that most of the known concerns could be patched with firmware. Ghuman said the charger installer must then ensure that the firmware is secure, has been tested before deployment, and is updated or patched post-deployment, in case any additional vulnerabilities are discovered.
This was a conclusion that Pen Test Partners also reached. After its study, the company said it contacted the manufacturers with its findings, and a number of them resolved the issues within 24 hours.
“I think that more and more companies are realizing the key to a competitive advantage is product security,” said Ghuman. “So the more secure your product is, the more competitive advantage you have, because nobody wants to do recalls. And so and nobody wants a reputational loss.”
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: firstname.lastname@example.org.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.