Sophos Cloud Optix
Is there anything more annoying than infrastructure that turns on you?
For years we’ve been warned about the specter of hacker-induced nuclear power plant meltdowns, breached electric-grid control systems or Samsung TVs that let hackers watch you. We’ve even heard we could lose our data to juicejacking, when all we want is an emergency phone charge.
And the lack of security in SCADA systems? It’s more like SCAD-DON’T.
The latest entrant into the scary-infrastructure category comes from a technology that feels like it should be a lot warmer and fuzzier: namely, electric car-charging stations.
In a video recorded at Hack In The Box 2013 Amsterdam and posted courtesy of Help Net Security, Ofer Shezaf, founder of OWASP Israel, talks about the lack of security in these charging stations, which often amount to little more than a computer sitting behind a key-lock panel on the street.
A computer that takes customers financial and personal information, that is.
For three years, Shezaf, an application security expert, worked for a company that makes infrastructure for the car-charging stations.
The equipment in a charging station typically includes these components, he says:
- Main board;
- Communication equipment to connect with a central server and, often, with the internet;
- An RFID card reader that lets users identity themselves and begin charging their cars; and
- Electric components, such as a circuit breaker to protect from electrocution and a meter to measure the amount of electricity consumed.
Why do you need such a computer sitting on the street? Somebody has to pay for the electricity, Shezaf says, and controls are needed. You can’t have everybody getting electricity at the same time, or the system will fry.
But once you put a computer on the street, information security comes into play, as does the potential for hacking.
Here are the ways Shezaf says attackers might hack into an electric car-charging station:
- Via physical access on the street equipment. The computers, typically Linux-based, are often protected with a panel opened with a simple key. Once an attacker opens the panel, he has access to the components, allowing analysis and reverse-engineering of hardware, CPU, and firmware. Also, attackers can connect via processor ports to enable real-time analysis while customers are charging their cars.
- Via communications. In many cases, Shezaf says, there’s a large number of charging stations in a single parking lot, linked via serial connection, which he calls “very slow and very, very ancient, with very little security.” This can enable hackers to tap in to intercept information about the identities of the customers who are charging their cars, plus their payment information. Another potential is for attackers to conduct a man-in-the-middle attack.
- Via RFID card. There’s high pressure on manufacturers to buy the cheapest ones available. Such cheap RFID cards are known to include either no encryption or insufficient encryption protocols.
- Back doors that allow technicians to connect to charging stations and get immediate access. Maintainability is a key element of these large physical networks. It has to be cheap and easy for technicians to fix issues, Shezaf says. He found one example in an equipment manual online that describes how access to the charging station is gained through a physical key. Beyond that, there’s no security whatsoever – not even a password requirement.
What can hackers do once they’re in? Shezaf gave this list:
- Identity theft. Attackers can intercept information while people charge.
- Financial theft. Charging for free or charging on someone else’s account.
- DoS. A hacker can, for example, take out an entire parking lot, making cars inoperable. Hackers could also potentially shut down an entire network, shutting down electric car traffic in an entire city or region.
How likely are these types of physical attacks? Not very, Shezaf says, given a few things.
First, they sound simple, but they’re not:
"You need a subject matter expert. That limits the number of people who can do it."
For one thing, encryption is a key challenge of securing charging infrastructure. But encryption is “a tough subject,” he says. There just aren’t that many people who know how to break it.
We don’t see charging stations getting hacked or, for that matter, planes falling out of the sky, but we do see virtual hacking galore.
The reason, Shezaf proposes, is that physical damage frightens us, from an evolutionary standpoint.
If you’re out to make some easy money, hacking a bank online is physically safe. The same can’t be said for physical attacks against, for example, smart cars or car-charging stations:
"While naturally criminals and nation states will use those techniques, a lot less people who are doing it for money will try to hack charging stations."
Hopefully, that all adds up to this particular hacking scenario being relevant, for the most part, to Hollywood scriptwriters.
Images of electric car, charging station and caution tape courtesy of Shutterstock.
Seems to me those last statements fail to take into account the significant number of attacks against ATMs.
This one is easy, don't have an electric car! If you feel you have to have one, charge the batteries from your home supply in your own garage so no one else can access the charger or lead. Or do it in the garage of the person you are visiting but not on the street.
Anyway, electric cars are not as 'green' as made out – where does the electricity come from to charge it? And the current fuel consumption equivalence data I've seen suggests that few get better than a large family car on petrol. Plus they have very limited range – 60 miles if good for them but don't have the lights or heater switched on!
In the US, the electric cars are becoming more common. And the post from Mike is misleading; An electric car doesn't pollute the air. That Honda FCX Clarity is also a good solution, but unfortunately its not mass market yet. And the idea behind the electric car wasn't about unlimited range only.
@ Mike
Your suggestion to charge at home is a good one. Particularly if security is a concern – as it always should be. The concern for a charger or lead being stolen is minor as the unit locks onto the car. Any attempt at removal would render the unit useless.
As the owner of an electric car who charges from my own solar array, I am aware of the pollution generated by the manufacture and use of my car in an absolute sense. However, when compared to all of the aspects of owning and operating a gas powered car including the mess and cost involved in providing fuel for it, the electric car uses way less resources.
Did I mention how much fun it is to drive for the entire 100+ miles per charge. 100% torque right off the line. Have a friend give you a ride in one sometime. You get hooked.
In the meantime, could someone please give me directions to a…what do you call them…oh yeah…Gas Station? My windshield needs a good cleaning.
I was able to read the whole content, all I can say is this is great! Great post with great ideas with great ideas with a great concept and with such a great writer. A written perfectly and was very much easy to understand.
it is really vulnearable, and here we have the smart phone companies trying to put all cars into one grid so they could "communicate" to each other, sounds like a massive loophole for hackers to use
I do not think it will be possible. the electric car companies have established charging stations after a lot of discussions regarding the security of the charging stations of electric cars. So I do not think so that it will possible to hack an electric car charging station. Here i want to share some of my experience regarding cars maintenance. After having a car we have to maintain a car like we have to service it after particular kilometers of run and also we have to repair our cars from good repair centers whenever required to get better performance from it and for our cars smoother running. .
Just last week my wife tried to initiate a charge at a shopping center here in Honolulu. The transaction didn’t work, but she was charged $35; her card company called her and said her card was charged that same day in Portland, Oregon. SO: While this article builds up a sense of insecurity and threat, it finishes with a “this will be good for Hollywood”. What a terrible piece of writing. All of that research and citation for a lousy conclusion? I can testify that, 3 years later, these things are really happening. As of now, I am NEVER plugging into a pay-charge station until I know how to safely do it.
And have this author study writing.