Kaspersky Lab discovers connected electric car charger vulnerabilities
Researchers at Kaspersky Lab have discovered that electric vehicle (EV) chargers supplied by a major vendor carry vulnerabilities that could be exploited by threat actors, with a successful attack potentially resulting in damage to the home electricity network.
Electric cars have become increasingly popular due to their 'greener' footprint and sustainability, and as such, in some regions, public and private charging points are becoming commonplace. With this in mind, the company's researchers decided to check widely available domestic chargers that include a remote access feature.
They found that, if compromised, the connected charger could cause a power overload that would have the ability to take down the network it was connected to, causing not only a financial impact, but, in a worst-case scenario, damaging other devices connected to the network.
While scrutinising the chargers, researchers found a way to initiate commands on the charger and to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the car, the second could potentially cause the wires to overheat on any device not protected by a trip fuse.
All a cyber attacker would need is WiFi access to the network the charger is connected to, in order to change the amount of electricity being consumed, the company explained.
Because these devices are made for domestic use, security for their wireless networks is likely to be fairly basic, meaning hackers could gain access easily, using brute force techniques, for example.
According to Kaspersky Lab statistics, 94% of attacks on Internet of things devices in 2018 came from Telnet and SSH password brute-forcing. "Once inside the wireless network, the intruders can easily find the charger's IP address. This, in turn, will allow them to exploit any vulnerabilities and disrupt operations," the company added.
All the vulnerabilities found were reported to the vendor and have now been patched.
Under the radar
Dmitry Sklyar, security researcher at Kaspersky Lab, says people often forget that in a targeted attack, cyber criminals always look for the least obvious elements to compromise in order to remain unnoticed. "This is why it is very important to look for vulnerabilities, not just into un-researched technical innovations, but also in their accessories; they are usually a coveted prize for threat actors."
Sklyar says vendors need to be extra-careful with connected vehicle devices, and initiate bug-bounties or ask cyber security experts to check their devices. "In this case, we were fortunate to have a positive response and a rapid patch of the devices, which helped to prevent potential attacks."