So much focus is given in securing modern electric vehicles (EV) that accessories are sometimes overlooked. Cybersecurity firm Kaspersky Lab (Kaspersky) found some vulnerabilities from an EV charger supplied by a major vendor.
Upon testing the charger, Kaspersky saw that should it be exploited in a cyber attack, it can potentially affect the home electricity network.
While EV is hailed as environment-friendly because it does not consume harmful gas or fuel, charging stations are very rare in locations where there are few of this type of cars. In bigger cities or countries, governments have provided charging stations for citizens using EV.
The researchers found that, if compromised, the connected charger could cause a power overload that would take down the network it was connected to, causing both financial impact and, in the worst-case scenario, damaging other devices connected to the network.
Least obvious elements
“People often forget that in a targeted attack, cybercriminals always look for the least obvious elements to compromise in order to remain unnoticed,” said Dmitry Sklyar, a security researcher at Kaspersky Lab. “This is why it is very important to look for vulnerabilities, not just into unresearched technical innovations, but also in their accessories — they are usually a coveted prize for threat actors. As we have shown, vendors should be extra careful with connected vehicle devices, and initiate bug-bounties or ask cybersecurity experts to check their devices. In this case, we were fortunate to have a positive response and a rapid patch of the devices, which helped to prevent potential attacks.”
The researchers found a way to initiate commands on the charger and to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the car, the second one could cause the wires to overheat on a device that is not protected by a trip fuse.
By obtaining Wi-Fi access to the network charger, an attacker can change the amount of electricity the EV will consume. Kaspersky said that because “the devices are made for domestic use, security for the wireless network is likely to be limited.”
It would be easy-peasy for attackers to gain access with methods such as “brute-forcing all possible password options, which is quite common: according to Kaspersky Lab statistics, 94 percent of attacks on IoT (Internet of Things) in 2018 came from Telnet and SSH password brute-forcing.”
As soon as the attackers were able to “infiltrate” the wireless networks and found the chargers IP address, they are now free to exploit vulnerabilities and disrupt operations.
Kaspersky Lab recommends taking the following security measures:
Regularly update all your smart devices to the latest software versions. Updates may contain patches for critical vulnerabilities, which, if left unpatched, may give cybercriminals access to your house and private life. Don’t use the default password for Wi-Fi routers and other devices, change it to strong ones and don’t use the same password for several devices. We recommend isolating the smart home network from the network used by your or your family’s personal devices for basic Internet searching. This is to ensure that if a device is compromised with generic malware through a phishing email, your smart home system won’t be affected.