Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered

Feb 03, 2023Ravie LakshmananAutomotive Security / Vulnerability

Two new security weaknesses discovered in several electric
vehicle (EV) charging systems could be exploited to remotely shut
down charging stations and even expose them to data and energy
theft.

The findings, which come from Israel-based SaiFlow, once again
demonstrate the potential risks ^[1]
facing the EV charging infrastructure.

The issues have been identified in version 1.6J of the Open
Charge Point Protocol (OCPP ^[2]) standard that uses
WebSockets for communication between EV charging stations and the
Charging Station Management System (CSMS) providers. The current
version of OCPP is 2.0.1.

“The OCPP standard doesn’t define how a CSMS should accept new
connections from a charge point when there is already an active
connection,” SaiFlow researchers Lionel Richard Saposnik and Doron
Porat said ^[3].

“The lack of a clear guideline for multiple active connections
can be exploited by attackers to disrupt and hijack the connection
between the charge point and the CSMS.”

This also means that a cyber attacker could spoof a connection
from a valid charger to its CSMS provider when it’s already
connected, effectively leading to either of the two scenarios:

A denial-of-service (DoS) condition that arises when the CSMS
provider closes the original the WebSocket connection when a new
connection is established

Information theft that stems from keeping the two connections
alive but returning responses to the “new” rogue connection,
permitting the adversary to access the driver’s personal data,
credit card details, and CSMS credentials.

The forging is made possible owing to the fact that CSMS
providers are configured to solely rely on the charging point
identity for authentication.

“Combining the mishandling of new connections with the weak OCPP
authentication and chargers identities policy could lead to a vast
Distributed DoS (DDoS) attack on the [Electric Vehicle Supply
Equipment] network,” the researchers said.

OCPP 2.0.1 remediates the weak authentication policy by
requiring charging point credentials, thereby closing out the
loophole. That said, mitigations for when there are more than one
connection from a single charging point should necessitate
validating the connections by sending a ping or a heartbeat
request, SaiFlow noted.

“If one of the connections is not responsive, the CSMS should
eliminate it,” the researchers explained. “If both connections are
responsive, the operator should be able to eliminate the malicious
connection directly or via a CSMS-integrated cybersecurity
module.”

Found this article interesting? Follow us on Twitter ^[4]
and LinkedIn ^[5]
to read more exclusive content we post.

References

^{^}
potential risks
(thehackernews.com)
^{^}
OCPP
(www.openchargealliance.org)
^{^}
said
(www.saiflow.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)