How to hack an electric car-charging station

Filed Under: Featured, Security threats, Vulnerability

Caution tape, image courtesy of ShutterstockIs there anything more annoying than infrastructure that turns on you?

For years we've been warned about the specter of hacker-induced nuclear power plant meltdowns, breached electric-grid control systems or Samsung TVs that let hackers watch you. We've even heard we could lose our data to juicejacking, when all we want is an emergency phone charge.

And the lack of security in SCADA systems? It's more like SCAD-DON'T.

The latest entrant into the scary-infrastructure category comes from a technology that feels like it should be a lot warmer and fuzzier: namely, electric car-charging stations.

In a video recorded at Hack In The Box 2013 Amsterdam and posted courtesy of Help Net Security, Ofer Shezaf, founder of OWASP Israel, talks about the lack of security in these charging stations, which often amount to little more than a computer sitting behind a key-lock panel on the street.

A computer that takes customers financial and personal information, that is.

For three years, Shezaf, an application security expert, worked for a company that makes infrastructure for the car-charging stations.

The equipment in a charging station typically includes these components, he says:

  • Main board;
  • Communication equipment to connect with a central server and, often, with the internet;
  • An RFID card reader that lets users identity themselves and begin charging their cars; and
  • Electric components, such as a circuit breaker to protect from electrocution and a meter to measure the amount of electricity consumed.

Why do you need such a computer sitting on the street? Somebody has to pay for the electricity, Shezaf says, and controls are needed. You can't have everybody getting electricity at the same time, or the system will fry.

But once you put a computer on the street, information security comes into play, as does the potential for hacking.

Here are the ways Shezaf says attackers might hack into an electric car-charging station:

  1. Via physical access on the street equipment. The computers, typically Linux-based, are often protected with a panel opened with a simple key. Once an attacker opens the panel, he has access to the components, allowing analysis and reverse-engineering of hardware, CPU, and firmware. Also, attackers can connect via processor ports to enable real-time analysis while customers are charging their cars.
  2. Electric car, image courtesy of Shutterstock

  3. Via communications. In many cases, Shezaf says, there's a large number of charging stations in a single parking lot, linked via serial connection, which he calls "very slow and very, very ancient, with very little security." This can enable hackers to tap in to intercept information about the identities of the customers who are charging their cars, plus their payment information. Another potential is for attackers to conduct a man-in-the-middle attack.
  4. Via RFID card. There's high pressure on manufacturers to buy the cheapest ones available. Such cheap RFID cards are known to include either no encryption or insufficient encryption protocols.
  5. Back doors that allow technicians to connect to charging stations and get immediate access. Maintainability is a key element of these large physical networks. It has to be cheap and easy for technicians to fix issues, Shezaf says. He found one example in an equipment manual online that describes how access to the charging station is gained through a physical key. Beyond that, there's no security whatsoever - not even a password requirement.

What can hackers do once they're in? Shezaf gave this list:

Charging station, image courtesy of Shutterstock

  • Identity theft. Attackers can intercept information while people charge.
  • Financial theft. Charging for free or charging on someone else's account.
  • DoS. A hacker can, for example, take out an entire parking lot, making cars inoperable. Hackers could also potentially shut down an entire network, shutting down electric car traffic in an entire city or region.

How likely are these types of physical attacks? Not very, Shezaf says, given a few things.

First, they sound simple, but they're not:

"You need a subject matter expert. That limits the number of people who can do it."

For one thing, encryption is a key challenge of securing charging infrastructure. But encryption is "a tough subject," he says. There just aren't that many people who know how to break it.

We don't see charging stations getting hacked or, for that matter, planes falling out of the sky, but we do see virtual hacking galore.

The reason, Shezaf proposes, is that physical damage frightens us, from an evolutionary standpoint.

If you're out to make some easy money, hacking a bank online is physically safe. The same can't be said for physical attacks against, for example, smart cars or car-charging stations:

"While naturally criminals and nation states will use those techniques, a lot less people who are doing it for money will try to hack charging stations."

Hopefully, that all adds up to this particular hacking scenario being relevant, for the most part, to Hollywood scriptwriters.

Images of electric car, charging station and caution tape courtesy of Shutterstock.

, , ,

You might like

7 Responses to How to hack an electric car-charging station

  1. Larry · 870 days ago

    Seems to me those last statements fail to take into account the significant number of attacks against ATMs.

  2. MikeP_UK · 870 days ago

    This one is easy, don't have an electric car! If you feel you have to have one, charge the batteries from your home supply in your own garage so no one else can access the charger or lead. Or do it in the garage of the person you are visiting but not on the street.

    Anyway, electric cars are not as 'green' as made out - where does the electricity come from to charge it? And the current fuel consumption equivalence data I've seen suggests that few get better than a large family car on petrol. Plus they have very limited range - 60 miles if good for them but don't have the lights or heater switched on!

  3. roy jones jr · 869 days ago

    In the US, the electric cars are becoming more common. And the post from Mike is misleading; An electric car doesn't pollute the air. That Honda FCX Clarity is also a good solution, but unfortunately its not mass market yet. And the idea behind the electric car wasn't about unlimited range only.

  4. Eric · 845 days ago

    @ Mike

    Your suggestion to charge at home is a good one. Particularly if security is a concern - as it always should be. The concern for a charger or lead being stolen is minor as the unit locks onto the car. Any attempt at removal would render the unit useless.

    As the owner of an electric car who charges from my own solar array, I am aware of the pollution generated by the manufacture and use of my car in an absolute sense. However, when compared to all of the aspects of owning and operating a gas powered car including the mess and cost involved in providing fuel for it, the electric car uses way less resources.

    Did I mention how much fun it is to drive for the entire 100+ miles per charge. 100% torque right off the line. Have a friend give you a ride in one sometime. You get hooked.

    In the meantime, could someone please give me directions to a...what do you call them...oh yeah...Gas Station? My windshield needs a good cleaning.

  5. I was able to read the whole content, all I can say is this is great! Great post with great ideas with great ideas with a great concept and with such a great writer. A written perfectly and was very much easy to understand.

  6. it is really vulnearable, and here we have the smart phone companies trying to put all cars into one grid so they could "communicate" to each other, sounds like a massive loophole for hackers to use

  7. I do not think it will be possible. the electric car companies have established charging stations after a lot of discussions regarding the security of the charging stations of electric cars. So I do not think so that it will possible to hack an electric car charging station. Here i want to share some of my experience regarding cars maintenance. After having a car we have to maintain a car like we have to service it after particular kilometers of run and also we have to repair our cars from good repair centers whenever required to get better performance from it and for our cars smoother running. .

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.