Security flaws found in home electric car chargers

By BizClik Admin
Security researchers have discovered failings in two home electric car chargers and are urging owners to update their apps and chargers, to be safe.

Security researchers have discovered failings in two home electric car chargers. According to a report by the BBC, the researchers were able to make the chargers switch on or off, remove the owner's access, and show how a hacker could get into a user's home network.

Most of the faults have now been fixed but owners are being told to update their apps and chargers, to be safe.

It comes as proposed new legislation on cybersecurity for appliances, including chargers, is published.

Two home chargers, Wallbox and Project EV - both approved for sale in the UK by the Department for Transport - were found to be lacking adequate security when used with an accompanying app for smartphones.

Cybersecurity researcher at Pen Test Partners, Vangelis Stykas, discovered the vulnerabilities. "On Wallbox you could take full control of the charger, you could gain full access and remove the usual owner's access on the charger. You could stop them from charging their own vehicles, and provide free charging to an attacker's vehicle," he said.

"Project EV had a really bad implementation on their back end. Their authentication where it existed was pretty primitive, so an attacker could easily escalate themselves to being an administrator and change the firmware of all the chargers," he added.

Mr Stykas says changing the firmware - the programming that is built in to the hardware - would allow an attacker to permanently disable the charger, or use it to attack other chargers or servers.

Pen Test Partners is one of a fast-growing number of companies in the UK that specialises in penetration testing, something commonly referred to as 'white-hat hacking.'

'White hats' aim to find security problems and report them to the companies concerned, so vulnerabilities can be corrected before hackers can take advantage of the failing.

Mr Stykas believes anyone with a little knowledge of these cloud-based web application systems could have performed the same hack.

"It's pretty obvious for anyone who can understand cloud systems and cloud communication, and it didn't take that much to spot the vulnerability and find a way to exploit it," he said.

Researchers also found it would be possible in cases where the chargers were connected by wi-fi to the home network, for hackers to also gain access.

Pen Test Partner's Ken Munro says: "Once you're on to someone's home network, if you haven't changed that router admin password, you can send all the traffic to the hacker.

"That means they can do things like set up sites that look like the real deal but steal your passwords and then your real bank account for example has been compromised. There's all sorts of things you can do .. so everything you do online is potentially exposed."

In its report into the security failures, Pen Test Partners adds that multiple chargers could be controlled at the same time using some of the vulnerabilities it found, which could potentially be used by an attacker to overload the electricity grid in some areas and cause blackouts.

Ensuring cybersecurity is part of the government's conditions for chargers to be sold in the UK, which allows buyers to receive government subsidies when making a purchase.

Share

Featured Articles

How Microsoft Is Helping Rural Hospitals Get Cyber Secure

Microsoft is giving rural hospitals a hand to help them get their cybersecurity up to snuff to keep them running amid the rising attacks on healthcare

SpiceRAT: Cisco Talo Sound Alarm Over New Trojan

Remote Access Trojans are resurfacing, and Cisco Talo shows they are doing so with increased sophistication

CrowdStrike & HPE: Unifying IT and Security for Secure AI

CrowdStrike and HPE are joining to integrate their Falcon platform and GreenLake cloud and OpsRamp AIOps to give an overview of AI infrastructure

Zscaler and NVIDIA Join to Upskill Zero Trust with Gen AI

Network Security

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Cloud Security

Helping APAC Curb the Threat of Cyber Attacks

Hacking & Malware