Charging stations can easily be hijacked via Bluetooth connection
Three Dutch ethical hackers from Computest Security, Daan Keuper, Thijs Alkemade, and Khaled Nassar, have identified vulnerabilities in three charging stations of American origin. The hackers' findings were presented during the prestigious hacking competition Pwn2Own Automotive, a part of the Automotive World conference in Tokyo. They demonstrated that the stations can be relatively easily taken over via Bluetooth without the need of data from users. With the discovery of these vulnerabilities, the hacker team secured a prize of 67.500 USD.
"The relative ease with which we gained access to the charging stations shows that security was not a factor in the design of these stations," stated Daan Keuper, Head of Security Research at Computest Security. "These are obvious vulnerabilities that a manufacturer could have discovered through a security test. The fact that this was overlooked indicates that connected devices like charging stations lag behind in terms of security, and there is much room for improvement."
The hacking competition, held during the Automotive World conference in Tokyo, primarily focuses on products and platforms related to electric cars. In addition to charging stations, infotainment systems and operating systems are also part of the competition. As the electric vehicle fleet grows rapidly and cars become more connected, the opportunities to hack components increase. Mobile apps, Bluetooth connections, and the Open Charge Point Protocol can potentially be exploited by malicious actors to damage vehicles. Furthermore, access to the charging station may be a way to also enter other IoT applications used in and around homes.
Charging stations with vulnerabilities
Before the competition, the Computest Security team investigated four home-use charging stations in their own security lab, Sector 7. These stations can be used on 110-volt networks. Vulnerabilities were found in three of the charging stations: ChargePoint Home Flex, Autel MaxiCharger, and Juicebox 40. The first brand has sold over 200 million charging stations. Each of the charging stations was accessible through the same type of vulnerability, allowing hackers to take control of the system and, for example, turn it on or off.
The charging station with no identified vulnerability used the Amazon IoT cloud platform for connectivity with the accompanying app, ensuring security through Amazon's facilitated basic IoT equipment functions. The other charging stations used self-designed systems where security was clearly not a standard consideration.
The automotive industry lacks focus on security
The Computest Security team had previously hacked the infotainment system used in various models of the Volkswagen Auto Group, discovering that remote access to one of the car's systems was possible. According to Keuper, the charging station hack is not an isolated incident but illustrates the limited attention given to security within the automotive industry.
The research team of Computest Security: left to right Daan Keuper, Khaled Nassar and Thijs Alkemade.
"In the Netherlands, we periodically hear about the insecurity of charging infrastructure, and cloning charging cards has been a known problem for years that still hasn't been solved. We do see more attention to security through collaborations like the NAL (National Agenda Charging Infrastructure), and eLaad has even established guidelines for the security of charging stations. However, if these are not adopted, they are of little use."
Enforcing compliance with NIS2 and Cyber Resilience Act
Keuper advocates for standardization of systems and the enforcement of compliance with security guidelines such as the European Cyber Resilience Act and NIS2. The latter explicitly states that suppliers of public charging stations must adhere to this regulation. "We must ensure that security does not become only a compliance issue, as organizations may be less open about it, and there is less learning from each other. Ensuring security should be a matter of intrinsic motivation."