Researchers from SaiFlow have detailed vulnerabilities affecting electric vehicle (EV) charging stations that could be exploited to cause denial-of-service or trick them into charging vehicles without payment. The vulnerabilities lie in the Open Charge Point Protocol (OCPP) standard.
Note
- Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to the charger includes data lines to regulate charging and provide metering as well as payment information. It is more like a “very large USB-C” charger in how it combines data and power delivery. This provides an avenue to either attack the charger or the car. In addition, wireless networking may be used as well to interface with mobile devices for payment.
- In 2021 USD 7.5B was allocated over five years to build out EV charging stations and last September the Biden administration launched a grant program to build charging networks along 75,000 miles of interstate highways. That means the focus is going to be on deployment before the money runs out rather than cyber security. While many states are working to require cyber security components as part of approving grants for EV charging stations, this still leaves existing or legacy installations possibly exempted. If providers don’t resolve issues, expect a regulatory body, like NERC, to step in and require it. Regardless, if you’re in the EV charging business, you want to make sure that you’ve got cyber security covered, before your hand is forced.
- This announcement isn’t unexpected as the EV infrastructure continues to build out. Researchers in academia, private sector, and hacking circles will start fully testing the underlying protocols and vulnerabilities will be found. Unfortunately, speed to market often trumps adequate security testing of new technology. We’ve witnessed a similar parallel with vehicle automation. What’s important is that the industry move quickly to close this and other vulnerabilities, as they will be targeted by cybercriminals.
Read more in
