Spikes in the prices of fossil fuels have provided yet another incentive for consumers to move towards electric vehicles (EVs). Alongside that trend is the pressing requirement to have a charging infrastructure which provides enough capacity to satisfy this need. In this article we will explore how EV charging platforms are being architected and deployed while answering a question seldom asked - what security holes are being opened?

Are EV Charging Platforms Already Being Targeted?

The simple answer to that is yes. Typically what we see when new digital services such as EV charging come online is that initially there are a few attacks, mainly by independent researchers. These gain some publicity and although any issues raised normally get dealt with by the providers, it is often stated that the scenarios exposed are ‘academic’ so they may be taken seriously from a marketing perspective but not from a technical perspective. 

Although it may sometimes be difficult to see how the early attack vectors which are identified would result in a meaningful gain for a hacker, in my opinion it’s more common that you think that the exposed security hole is real. In other words, even if it is ‘academic’ it is still indicative of non-optimal security practices within the vendor’s operation. As such these reports should absolutely be taken seriously.

Let’s look at some recent examples of reported attacks against EV charging platform and see what trends we can see:

• In August 2021, researchers found vulnerabilities in 5 of the 6 EV charging platforms that they tested, including one that could enable a home charging station to become a route into the associated home network.
• In November 2021, researchers announced they had found a vulnerability in the mobile app of a charging provider which enabled the exposure of the details of 140,000 users of that service.
• In January 2022, researchers completed a comprehensive assessment of the security of 16 EVCSMS (Electric Vehicle Charging Station Managing Systems), uncovering a plethora of issues in their firmware, mobile apps and web apps.
• In March 2002, at the start of the war in Ukraine, EV charging stations in Russia were hacked and ‘Glory to Ukraine!’ displayed on their screens as a demonstration of solidarity with the Ukrainian people.
• In April 2022, charging stations were hacked and pornographic material shown on their displays, causing complaints and distress to end users.

What we can see from the list above is that the trend is largely as predicted; following the launch of a new product or service the first reported issues come from researchers who do vital work in investigating the security position of any new hardware or software digital services that come online. This is the earliest indicator we consumers get into how seriously providers take security. 

Unfortunately, in situations where a new market opportunity is emerging, grabbing market share is more important than anything else so we often find that security gets left behind, at least initially. This is exactly why the work done by researchers is so  important.

It should be no surprise to discover that what follows shortly after the security researchers have had their say is that we start to see the first examples of hacks in the wild, exactly as illustrated in the 2022 attacks above. Once a new service reaches critical mass then more and more attacks will occur - just ask any crypto platform provider.

What should we expect next?

There are now over 2M EV charging stations deployed worldwide and so we are justified in saying that this is now a platform of interest to cyber criminals. We can therefore confidently predict industrial scale attacks against EV charging infrastructure.

To appreciate what kinds of attacks we will see, it is necessary to look at the opportunities for cyber criminals and other bad actors. All of the usual mechanisms which can be diverted for financial gain are present in the EV charging platforms, i.e. payment data extraction, fraud through bypassing payment mechanisms or by reselling captured personal data such as usernames and passwords.

However, there is more. We must also recognize that EV charging stations are not standalone entities; they are gateways into the national electricity grid and as such you could consider them to be part of, or at least an extension of, a country’s national critical infrastructure. In other words, protecting them well is extremely important because the implications of a successful attack go well beyond the consumer or the service provider.

Let’s look at what attackers will try to achieve by attacking EV charging stations. Here are some possibilities:

• Ransomware: gaining access to valuable data such that bad actors can extort payment from charging providers in exchange for releasing that data. In recent years this has become very real in the healthcare sector and we should expect that it will spread to other verticals.
• Denial of service: gaining access to the charging infrastructure in order to prevent its use by consumers. Chaos could result if consumers were suddenly unable to charge their vehicles on a large scale.
• Penetration of critical infrastructure: since charging stations are connected to the national power grid, they are a viable way for nation state hackers to make a serious attack against the general provision of electrical energy to consumers and/or business users.
• Fraud: using charging stations free of charge or taking over a genuine user account in order to redirect payment to that genuine user. 
• Extraction of customer personal data: downloading of payment details, location details, vehicle details or login details could be beneficial for bad actors who can readily resell such information on the dark web.
• Extraction/manipulation of live commercial data: interception of data indicating location and availability of charging stations could be commercially valuable to sell to competitors or other third parties. Further, manipulation of such data could also be used to direct consumers towards or away from a particular location.

It's clear that there are a large number of different attack vectors to consider in the above and we will now consider the best approaches to mitigate them.

Protection against the inevitable

The research that was mentioned earlier, carried out by academics from Montreal, San Antonio and Dubai, was very comprehensive. It involved searching for and documenting vulnerabilities in the firmware, web apps and mobile apps which form the interfaces into EV charging stations. 

It is of course very important to identify and remove vulnerabilities or bugs in your software which could be used by cyber criminals. All enterprises should be and should remain on top of this. This is normally referred to as ‘shift left’, meaning incorporating searching and addressing exploitable vulnerabilities as early as possible in the software development process.

As useful as that is, it does not help to mitigate one of the most common attack vectors used by bad actors, namely API abuse through the use of scripts and bots. Such attacks do not rely on the existence of vulnerabilities in your code. Put another way, it means that even in the very unlikely event that you have perfect software, free of all vulnerabilities, it is still open to scripted attacks.

These exploits use scripts which look identical to genuine API traffic - including using valid user credentials and platform secrets such as API keys - in order to pass through regular network peripheral, API Gateway and WAF defenses. Since these attacks do not rely on software vulnerabilities, they are highly effective. Further, implementing a shift left security posture will not help with this class of attack.

Rather, what is needed is a ‘shield right’ approach, designed to protect enterprises from bot and script based attackers by ensuring that only genuine software clients (web apps and mobile apps) can use your APIs. Shielding right guarantees that only clean mobile apps and web browsers can access your backend resources, causing all scripts and bots to be blocked at the edge - even if they have access to valid credentials and/or secrets.

Therefore we would suggest shielding right at least as much as you shift left and we’d also make a strong case for shielding right first because it delivers an immediate short term gain; shifting left takes longer to deliver benefits. It should also be noted that shielding right actually protects enterprises from attacks which attempt to exploit vulnerabilities since those attacks are almost always executed by scripts. In other words, shielding right delivers a double short term gain.

Check out our threat guide for more details on this topic.

Recommendations

To properly and effectively protect EV charging stations from the full range of attacks they are likely to experience, we would recommend the follow immediate actions:

• Shielding: Put in place a protection mechanism around the APIs which provide the main access points into your platform. The shield should be capable of identifying scripted and bot driven traffic, even if it is using valid API keys and user credentials. This is the top priority simply because it is the most common attack method seen in the wild and because it will make an immediate impact on the bottom line of your business.
• Pentesting: Consider all of the entry points into your platform, i.e. direct connection, wireless connection, web access and mobile access, and make sure that they are all thoroughly pentested. However, you must also make sure that the pentesting work does not just focus on vulnerability assessment. It must also assess how susceptible your platform is to infiltration by scripts and bots.
• Mobile: Although mobile is only one of the methods available to bad actors to attack you, it is the hardest to defend. Anyone can download your mobile app and analyze the code and its behavior for as long as they want - and they don’t need to identify themselves to do this - making protection of your mobile channel very challenging. Using your app to understand your APIs and extracting credentials from your app code gives them everything they need to build an effective script.

At Approov, we are specialists in protecting businesses that heavily rely on mobile apps as the primary end user touchpoint. Since mobile is the most challenging component in your platform to protect, we are ideal people to speak to in order to assess where we can help and to give you guidance. 

Contact us today and speak to one of our security experts.