Researchers at cybersecurity firm Pen Test Partners have discovered vulnerabilities in multiple EV chargers and platforms. Vulnerabilities were discovered in the APIs of some charging platforms that could allow accounts and charging stations to be taken over.
According to Pen Test Partners, the vulnerabilities could steal electricity and incorrectly charge other accounts. Users can be prevented from charging electrically by malicious parties and the stability of the electricity grid can be endangered if hackers manage to activate or switch off charging points simultaneously.
Six manufacturers of EV chargers passed the review: Hypervolt, Rolec, EO Hub, EVBox, Wallbox and Project EV. These manufacturers are subsidized by the British government, according to Pen Test Partners, and are also used in continental Europe.
Project EV’s charger scored the worst in terms of security. According to Pen Test Partners, it was not necessary to log in with the correct data with this charger. “The device assumed that all the parameters you entered were correct,” the company says. “An easily identifiable serial number will then allow attackers to gain access to the charger.”
The researchers reported their findings at Project EV, but they said no response was forthcoming. “It was only after journalists from the BBC were called in that the company took action to take better security measures and push a firmware update for the chargers.”
Pen Test Partners also discovered vulnerabilities in the APIs at the brands Wallbox, EO Hub and Hypervolt. In addition, the chargers of these brands used a built-in Raspberry Pi module and, according to the company, data extraction by malicious parties can be done very easily. All vulnerabilities have been fixed, according to Pen Test Partners, although the company recommends that the Raspberry Pi modules that are still in use be more secure.
Update, 8.40 pm: Risks vulnerabilities clarified.
–