Smart chargers have become a useful resource for electric vehicle (EV) owners, allowing them to remotely monitor and manage the charge state, speed, and timing of their car charger, among many functions. And smart chargers can even be integrated into a home’s solar and storage system to provide even greater control and flexibility over one’s own energy use.
As with any emerging technology, there are hiccups and issues in the early stages of rollout. However, with smart EV chargers, these shortcomings are more concerning than, say, a malfunctioning new video game console.
Pen Test Partners, a security consulting and testing company, recently spent 18 months investigating the security of some of the market’s leading smart charger offerings, and found troubling results. Of the six smart chargers they tested, nearly all of them included some level of security risk, from accessible user data, to the possibility of hijacking “millions” of smart chargers.
To better understand how these risks emerged, the scope of the issue at hand, and potential remedies to the risks, pv magazine spoke with Baksheesh Singh Ghuman, senior director of product and GTM strategy at Finite State, a cybersecurity company focused on Internet of Things (IoT) connected devices.
IoT refers to the network of physical objects embedded with sensors, software, and other technologies that are used for the purpose of connecting and exchanging data with other devices and systems over the Internet, like smart chargers, smart thermostats and smartphones.
“It’s a connected device, so its functions are all software defined. The software controls a majority of the functions,” explained Ghuman. “[They can define] who the users are, who can charge and cannot charge, when they can charge, or how much they can charge.”
Ghuman continued to explain that while the devices are connected, they also allow remote access. Functionally, this allows owners to access the charger’s app from a distance, so they can look at state of charge on your automobile, etc. That means the devices are also connected to a user’s home network. If one gets access to a smart charger, that means they can indirectly get access to a user’s home network.
The user is then compromised and potentially open to cyber attacks, as well as ransomware attacks, which shutdown a device until a ransom is paid.
According to Ghuman, the associated vulnerabilities come down to three critical categories.
Hardcore credential, which provides privilege access and the ability to provide reserve privilege access.
Remote code execution, which allows for the remote injection of malicious code, opening users up to Distributed Denial of Service (DDoS) attacks.
SQL injection vulnerabilities, which allow interface access, giving control over the interface of the charger itself. With this an individual could control who can use it and how much can they use.
The specific consequences of these vulnerabilities differ between public-use EV chargers and private chargers in a user’s home. For public chargers, the main concern is theft of electricity.
“If somebody’s got access to it, then they can then we can use the same account to charge multiple devices or vehicles,” said Ghuman.
Individuals could also remotely turn on and off as many chargers as they have access to, whenever they want, for however long they want, which could have an indirect impact on the power grid.
“It’s like a cyber attack, so to speak. There’s a whole range of things you can do you can ever have more access to that. You can actually control the device itself.”
For homes, the risk is more on network control and user data extraction. Individuals could also send bad information to the billing system, charging users for more electricity than they consume, as well as gain access to any and all user data stored within the device and its associated software and apps.
“If you’ve got access to a device, you can actually control the device and, from that device, then, if it’s connected to the internet, you essentially have an impact on other devices within the home,” said Ghuman.
Despite the grim potential of cyber attacks, Ghuman said that the situation is by no means a lost cause, and that remedies would not require significant labor or overhaul, at least not yet.
“There is already work underway, and these vulnerabilities only serve to highlight that there is a strong need for for security,” said Ghuman.
He outlined that most of the known concerns could be patched with firmware. Ghuman said the charger installer must then ensure the firmware is secure, has been tested before deployment, and is updated or patched post-deployment, in case any further vulnerabilities are discovered.
“I think the device manufacturers are working very hard to make sure that the products are secure,” he said. “But as you know, cyber security or security in general is so complex. Sometimes you don’t know from where a vulnerability or a threat factor is going to come from.”
This was a conclusion that Pen Test Partners also came to. After their study, the company said they flagged the manufacturers with their findings, and a number of them resolved the issue within 24 hours.
“I think that more and more companies are realizing the key to a competitive advantage is product security,” explained Ghuman. “So the more secure your product is, the more competitive advantage you have, because nobody wants to do recalls. And so and nobody wants a reputational loss.”