Home car charger owners urged to install updateson July 31, 2021 at 1:43 am

- Advertisement -
- Advertisement -
- Advertisement -
- Advertisement -

Security vulnerabilities in two domestic electric car chargers were discovered by researchers.

Security researchers have discovered failings in two home electric car chargers.

The researchers were able to make the chargers switch on or off, remove the owner’s access, and show how a hacker could get into a user’s home network.

Most of the faults have now been fixed but owners are being told to update their apps and chargers, to be safe.

It comes as proposed new legislation on cyber-security for appliances – including chargers – is published.

Project EV charger

Two home chargers, Wallbox and Project EV – both approved for sale in the UK by the Department for Transport – were found to be lacking adequate security when used with an accompanying app for smartphones.

Cyber-security researcher at Pen Test Partners, Vangelis Stykas, discovered the vulnerabilities.

“On Wallbox you could take full control of the charger, you could gain full access and remove the usual owner’s access on the charger. You could stop them from charging their own vehicles, and provide free charging to an attacker’s vehicle.

“Project EV had a really bad implementation on their back end. Their authentication where it existed was pretty primitive, so an attacker could easily escalate themselves to being an administrator and change the firmware of all the chargers.”

Mr Stykas says changing the firmware – the programming that is built in to the hardware – would allow an attacker to permanently disable the charger, or use it to attack other chargers or servers.

Vangelis Stykas

Pen Test Partners is one of a fast-growing number of companies in the UK that specialises in penetration testing, something commonly referred to as ‘white-hat hacking.’

‘White hats’ aim to find security problems and report them to the companies concerned, so vulnerabilities can be corrected before hackers can take advantage of the failing.

Mr Stykas believes anyone with a little knowledge of these cloud-based web application systems could have performed the same hack.

“It’s pretty obvious for anyone who can understand cloud systems and cloud communication, and it didn’t take that much to spot the vulnerability and find a way to exploit it.”

Home Network Access

Researchers also found it would be possible in cases where the chargers were connected by wi-fi to the home network, for hackers to also gain access.

Pen Test Partner’s Ken Munro says: “Once you’re on to someone’s home network, if you haven’t changed that router admin password, you can send all the traffic to the hacker.

Charger and app

“That means they can do things like set up sites that look like the real deal but steal your passwords and then your real bank account for example has been compromised. There’s all sorts of things you can do .. so everything you do online is potentially exposed.”

In its report into the security failures, Pen Test Partners adds that multiple chargers could be controlled at the same time using some of the vulnerabilities it found, which could potentially be used by an attacker to overload the electricity grid in some areas and cause blackouts.

Ensuring cyber-security is part of the government’s conditions for chargers to be sold in the UK, which allows buyers to receive government subsidies when making a purchase.

Thousands of units of both the Wallbox and the Project EV chargers have been sold in the UK, where eligible EV owners can get hundreds of pounds in government subsidies to help them purchase home car chargers.

The Department for Transport declined to comment on the two chargers found to have security flaws.

A government spokesperson told the BBC: “This autumn we will be introducing new legislation designed to further protect consumers and the energy system by mandating a range of cyber-security requirements for EV chargepoints.”

The new Department for Culture Media and Sport legislation will apply to many connected or “smart” consumer devices. Draft legislation is expected to be published by the government by next week.

Both Pen Test Partners and BBC Click contacted the firms to give them the chance to fix the problems before publishing the security flaws.

Project EV, which imports chargers from a company based in China called Atess, said: “We had some speedy conversations with the manufacturer.. to improve the security of their platform.

“All the security issues raised have been addressed, with a new server, app updates and firmware updates to the chargers that are online.”

Inside a Wallbox charger

Wallbox, based in Spain, did not reply to the BBC, but told Pen Test Partners they had fixed the online problems.

Re-testing suggests the web-based security problems with both chargers have been fixed. Owners are being encouraged to check for any security updates issued by the two companies.

However, Ken Munro says the Wallbox charger uses hardware – a Raspberry Pi module – that isn’t secure enough.

“There’s really nothing you can do to make it completely secure, so unless Wallbox have found a way of fixing that – which would be beyond me – I’d suggest perhaps supergluing the box cover in, so hackers can’t take the top off.”

- Advertisement -

Discover

Sponsor

Latest

BBC Sport and Sky Sports unite over online hateon May 21, 2021 at 5:56 am

BBC Sport and Sky Sports come together to amplify their stance on online abuse as part of the ‘Hate Won’t Win’ campaign.Since then, we...

Israel’s new PM Naftali Bennett vows to unite nationon June 14, 2021 at 1:02 am

His pledge comes as his government is voted in, ending Benjamin Netanyahu's 12-year hold on power.Israel's new Prime Minister Naftali Bennett has vowed to...

Over-40s next in line to get a Covid vaccineon February 26, 2021 at 11:28 am

Teachers and other occupations should not be prioritised in the next phase, say UK vaccine experts.image copyrightGetty ImagesVaccinating people in order of age is...

Making Money Online From Oprah’s Book Sales

Oprah, as a famous television personality, has her own loyal following and they buy her books, and that has done a lot to help...

In a U-turn, US surgeon general asks CDC to see if face masks can prevent coronavirus spread after all

KEY POINTS U.S. Surgeon General Jerome Adams had initially advised against the general public wearing face masks. However, Adams told NBC’s “TODAY” show on...