Is there anything more annoying than infrastructure that turns on you?
For years we've been warned about the specter of hacker-induced nuclear power plant meltdowns, breached electric-grid control systems or Samsung TVs that let hackers watch you. We've even heard we could lose our data to juicejacking, when all we want is an emergency phone charge.
And the lack of security in SCADA systems? It's more like SCAD-DON'T.
The latest entrant into the scary-infrastructure category comes from a technology that feels like it should be a lot warmer and fuzzier: namely, electric car-charging stations.
In a video recorded at Hack In The Box 2013 Amsterdam and posted courtesy of Help Net Security, Ofer Shezaf, founder of OWASP Israel, talks about the lack of security in these charging stations, which often amount to little more than a computer sitting behind a key-lock panel on the street.
A computer that takes customers financial and personal information, that is.
For three years, Shezaf, an application security expert, worked for a company that makes infrastructure for the car-charging stations.
The equipment in a charging station typically includes these components, he says:
- Main board;
- Communication equipment to connect with a central server and, often, with the internet;
- An RFID card reader that lets users identity themselves and begin charging their cars; and
- Electric components, such as a circuit breaker to protect from electrocution and a meter to measure the amount of electricity consumed.
Why do you need such a computer sitting on the street? Somebody has to pay for the electricity, Shezaf says, and controls are needed. You can't have everybody getting electricity at the same time, or the system will fry.
But once you put a computer on the street, information security comes into play, as does the potential for hacking.
Here are the ways Shezaf says attackers might hack into an electric car-charging station:
- Via physical access on the street equipment. The computers, typically Linux-based, are often protected with a panel opened with a simple key. Once an attacker opens the panel, he has access to the components, allowing analysis and reverse-engineering of hardware, CPU, and firmware. Also, attackers can connect via processor ports to enable real-time analysis while customers are charging their cars.
- Via communications. In many cases, Shezaf says, there's a large number of charging stations in a single parking lot, linked via serial connection, which he calls "very slow and very, very ancient, with very little security." This can enable hackers to tap in to intercept information about the identities of the customers who are charging their cars, plus their payment information. Another potential is for attackers to conduct a man-in-the-middle attack.
- Via RFID card. There's high pressure on manufacturers to buy the cheapest ones available. Such cheap RFID cards are known to include either no encryption or insufficient encryption protocols.
- Back doors that allow technicians to connect to charging stations and get immediate access. Maintainability is a key element of these large physical networks. It has to be cheap and easy for technicians to fix issues, Shezaf says. He found one example in an equipment manual online that describes how access to the charging station is gained through a physical key. Beyond that, there's no security whatsoever - not even a password requirement.
What can hackers do once they're in? Shezaf gave this list:
- Identity theft. Attackers can intercept information while people charge.
- Financial theft. Charging for free or charging on someone else's account.
- DoS. A hacker can, for example, take out an entire parking lot, making cars inoperable. Hackers could also potentially shut down an entire network, shutting down electric car traffic in an entire city or region.
How likely are these types of physical attacks? Not very, Shezaf says, given a few things.
First, they sound simple, but they're not:
"You need a subject matter expert. That limits the number of people who can do it."
For one thing, encryption is a key challenge of securing charging infrastructure. But encryption is "a tough subject," he says. There just aren't that many people who know how to break it.
We don't see charging stations getting hacked or, for that matter, planes falling out of the sky, but we do see virtual hacking galore.
The reason, Shezaf proposes, is that physical damage frightens us, from an evolutionary standpoint.
If you're out to make some easy money, hacking a bank online is physically safe. The same can't be said for physical attacks against, for example, smart cars or car-charging stations:
"While naturally criminals and nation states will use those techniques, a lot less people who are doing it for money will try to hack charging stations."
Hopefully, that all adds up to this particular hacking scenario being relevant, for the most part, to Hollywood scriptwriters.