Domestic EV Chargers at Risk from Hackers, UK White Hats Claim

White-Hat hackers in the UK claim they can disable government-approved domestic EV chargers and even hack into home devices when the chargers are wifi enabled.

The possibility of such attacks was highlighted in the TU-Automotive interview with Moshe Shlisel, CEO of cyber-security specialist GuardKnox, who pointed out that any access to an electrical grid had the potential to be infiltrated by bad actors.

Technology television show, BBC Click, has aired the findings of a report by Pen Test Partners that suggests two home chargers, Wallbox and Project EV were found to be lacking adequate security when used with an accompanying app for smartphones. The organizations cyber-security researcher, Vangelis Stykas, discovered the vulnerabilities and told the BBC: “On Wallbox you could take full control of the charger, you could gain full access and remove the usual owner’s access on the charger. You could stop them from charging their own vehicles and provide free charging to an attacker’s vehicle.

“Project EV had a really bad implementation on their back end. Their authentication where it existed was pretty primitive, so an attacker could easily escalate themselves to being an administrator and change the firmware of all the chargers.”

Stykas added that changing the firmware, the programming that is built in to the hardware, would allow an attacker to permanently disable the charger or use it to attack other chargers or servers. Researchers also found it would be possible in cases where the chargers were connected by wi-fi to the home network, for hackers to also gain access.

Pen Test Partner’s Ken Munro said: “Once you’re on to someone’s home network, if you haven’t changed that router admin password, you can send all the traffic to the hacker.

In its report into the security failures, Pen Test Partners adds that multiple chargers could be controlled at the same time using some of the vulnerabilities it found, which could potentially be used by an attacker to overload the electricity grid in some areas and cause blackouts.”

When contacted, both companies said that customers can now update their software to plug the potential leaks in security. However, Munro claims the Wallbox charger still uses insecure hardware in the shape of an outdated a Raspberry Pi module. He explained: “There’s really nothing you can do to make it completely secure, so unless Wallbox have found a way of fixing that, which would be beyond me, I’d suggest perhaps super-gluing the box cover in, so hackers can’t take the top off.”

When responding to a BBC approach, Wallbox issued a statement saying: “The systems accessed by these chargers have been updated to address the software problems highlighted in this article and no further action is required by the end user.” It added their boxes use “a Raspberry Pi Compute Model 3 for our consumer chargers”, which it added “is the foundation of many consumer electronic devices”. Meanwhile, the BBC reports that the Raspberry Pi Foundation recommends that the module is not used for new designs and is currently not listed for industrial use. It later clarified that the Compute Module 3 (CM3) could continue to be used and would receive technical support but adding that the newer CM4 hardware, in production since 2019, offers better security features and would be supported for a longer time frame.

— Paul Myles is a seasoned automotive journalist based in Europe. Follow him on Twitter @Paulmyles_

Leave a comment

Your email address will not be published. Required fields are marked *