Kaspersky warning over electric car charging

Electric car chargers pose massive security challenges.

Electric cars may be growing in popularity, but cyber security giant Kaspersky has warned drivers to be wary of chargers.

According to Kaspersky, car manufacturers may be investing heavily into electric vehicles, expecting a market shift from petrol and diesel any time in the next ten or 20 years. However, they're failing to respond to security fears, especially with all cars becoming increasingly connected.

Existing implementations of the basic concept - paying and charging - aren't very concerned about the sanctity of your personal data and money

"During the past five years, electric cars have made an incredible journey, from seeming a bit futuristic and impractical to being something that you want to own," said security researcher Yaroslava Ryabova.

"But, as usually happens with a rapidly developing economic opportunity, manufacturers are jumping into the competition, trying to get as big a piece of the market as they can, and not thinking too hard about what happens next. "

Ryabova said that the "basic concept" of electric chargers fail to protect the driver's personal data and money. She said hackers can easily get into these systems.

"Existing implementations of the basic concept - paying and charging - aren't very concerned about the sanctity of your personal data and money," she warned.

Plug in an empty flash drive - and logs and configuration data will be copied to the drive

This isn't the first time that the company has raised concerns about electric car-charging IT security. Mathias Dalheimer recently spoke about these challenges at the 34th Chaos Communication Congress.

Electric car-charging stations use a range of sophisticated technologies, including near-field communication (NFC) cards - making them a target for the same kind of cyber criminals that target ATMs.

"As the number of electric cars grows, so does the number of charging stations, where station providers receive money in exchange for providing energy," explained Ryabova.

"For those transactions, they need a built-in billing system. Before you can start charging your car, you need to identify yourself using your charging ID token, a special NFC card that is associated with your account."

Citing Dalheimer's talk, Ryabova added that charging infrastructure typically consists of systems manufactured by third-party companies. And, often, they fail to secure user data.

Criminals can: collect ID card numbers, imitate them and use them for transactions... rewire charging requests... gain root access to the station and then do whatever they like

"Dalheimer probed different components of the system and found that all of them had some problems with security. The first is the ID tokens. They are made by third-party providers and - surprise! - most of them do not secure your data," she said.

"They are very simple NFC cards that do not encrypt your ID or anything else they contain. The cards' problems continue. First, they're pretty easy to program, which Mathias demonstrated by copying his own card and successfully charging with the copy."

Another worrying trend is that many stations still rely on outdated versions of the OCPP protocol, which is "already relatively old and is based on HTTP". The security researcher added: "Mathias demonstrated how easy it is to set up a man-in-the-middle attack by relaying the transaction."

USB ports aren't safe, either, Ryabova said: "Plug in an empty flash drive - and logs and configuration data will be copied to the drive.

"From this data, it's easy to get the login and the password for the OCPP server and, for good measure, the token numbers of previous users - which, remember, is all you need to imitate them."

He concluded: "To sum up, criminals can: collect ID card numbers, imitate them and use them for transactions (for which the real account holders will have to pay); rewire charging requests, basically disabling the charging point; gain root access to the station and then do whatever they like. All because providers chose not to care about security."