Hackers could start abusing electric car chargers to cripple the grid, researcher says

If we don't start securing systems today, it will become a problem in 10 years, the researcher said

Hackers could use vulnerable charging stations to prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid, a security researcher said during the Hack in the Box conference in Amsterdam on Thursday.

While electric cars and EV charging systems are still in their infancy, they could become a more common way to travel within the next 10 years. If that happens, it is important that the charging systems popping up in cities around the world are secure in order to prevent attackers from accessing and tempering with them, said Ofer Shezaf, product manager security solutions at HP ArcSight. At the moment, they are not secure at all, he said.

"Essentially a charging station is a computer on the street," Shezaf said. "And it is not just a computer on the street but it is also a network on the street."

Users want their cars to charge as quickly as possible but not all electric cars can be charged at once because the providers of charging stations have to take the local and regional circuit capacity in mind, said Shezaf. "Therefore we need smart charging," he said.

But installing smart charging systems means that the charging stations on the street need to be connected, so the amount of energy is distributed in such a way that electricity grids are not overloaded, he said. But when charging stations are connected, multiple charging stations can be abused if an hacker can access them, Shezaf said.

The easiest way is to physically access the charging stations. "There are systems on the street and it is very easy to access the computer," Shezaf said. "When you get to the equipment, reverse engineering it is actually a lot easier than you think."

Hackers could take apart the systems to determine components and analyze and debug the firmware, he said. By doing this they can potentially spot convenient eavesdropping points and get encryption keys, Shezaf said, who added that he based his research on public sources, and in most cases on documentation from vendors' websites.

Charging stations can be configured by opening them, placing a manual electric DIP switch to configuration mode, connecting an Ethernet cross cable and firing up a browser to get access to the configuration environment, he said. In at least one type of charging station this kind of access doesn't require any authentication, Shezaf found. "You go and open the box with a key and that is the last security measure you meet," he said.

Some charging stations are also connected using RS-485 short-range communications networks used for inexpensive local networking, Shezaf said. Those connections have a very low bandwidth and high latency, are commonly used and have no inherent security, he added.

And while it all depends on the application, bandwidth and latency limits of the RS-485 networks makes eavesdropping and man-in-the-middle attacks simple, according to Shezaf, who described several other potential vulnerabilities during his presentation.

Using these methods, hackers could start influencing charge planning or influence and stop charges, he said. If no electric car can charge for a day when 30 percent of all cars in a country are electric, this could become problematic, he said. "If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he said.

While risks may be small today, it is time to start securing charging systems, Shezaf said. There should be more standardization in the charging sector, preferably using open standards, he said. But basically "we just have to pay more attention and spend more money," he said, adding that at the moment too little of both is happening.

"We shouldn't be relaxing now. The issues will become real when electric cars become real. If we don't start today it won't be secure in 10 years," he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachHITBAccess control and authenticationExploits / vulnerabilitiesdata protectionprivacyDetection / prevention

More about ArcSightHPIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place