Electric car chargers 'hackable', warns Kaspersky

Remote-access features of electric car chargers can be exploited by attackers to damage the vehicles, claims Kaspersky

Electric vehicle chargers with remote-access features could become the target of hackers, security specialists at Kaspersky have warned following an analysis of a number of charging infrastructure products.

In some cases, attackers could exploit management features built-in to the chargers to cause a power overload, possibly damaging both the vehicle and the charger in the process.

Furthermore, if a number of chargers in close proximity are exploited the attackers could cause a power overload, taking down a subset of the electrical network.

The researchers found commands that could stop the car charging, or set it to the maximum value possible that, in a vehicle with no trip fuse, would cause the wires to overheat and the vehicle to malfunction.

All an attacker needs to do to gain access to the charger and therefore damage the system is access to the WiFi network the charger is connected to. However, since many of the devices are designed for personal use they have no substantial protection from invaders, Kaspersky claimed.

According to the security company, the most common form of hacking is simply brute forcing. That is to say, conducting dictionary attacks against the devices to crack the password.

The security flaws have been created by a number of companies, particularly start-ups, introducing online features in a bid to make their products stand out.

Kaspersky investigated, in particular, ChargePoint home electric vehicle chargers. These offer both Bluetooth and WiFi connectivity, with Bluetooth used to set the devices up and then disabled.

However, the device can be remotely reset with all WiFi settings and registered user information wiped.

"In addition, we found a web server with enabled CGI on the device. All web server communications are protected by the SSL protocol with the same scheme as the control server, so the web server inherits the described certificate security issue.

"We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device.

"Two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters.

"Other vulnerabilities (stack buffer overflow) were found in the binary used to send different commands to the charger in the vendor-specific format (included in a POST message body).

"We also found the same stack buffer overflow vulnerabilities in the other binary used for downloading different system logs from the device. All this presents attackers with an opportunity to control the charging process by connecting to the target's WiFi network."

Kaspersky pointed to two major capabilities that an attacker could potentially take control of.

First, they could adjust the maximum current that can be consumed during charging, potentially affecting both the vehicle and the user's home electrical system.

Second, they can stop the car's charging process entirely.

Kaspersky forwarded its claims to the company which, it claims, were rapidly fixed.