During the past five years, electric cars have made an incredible journey, from seeming a bit futuristic and impractical to being something that you want to own. With prices having decreased significantly, the number of electric cars sold hit 2 million by the beginning of 2017, and it is still growing. The infrastructure for electric cars is developing rapidly, so charging stations in your neighborhood don’t look so odd anymore, either.
But, as usually happens with a rapidly developing economic opportunity, manufacturers are jumping into the competition, trying to get as big a piece of the market as they can, and not thinking too hard about what happens next. Of course, we’re talking about security. Not safety, in this case — an electric charger is unlikely to injure you — but cybersecurity. Existing implementations of the basic concept — paying and charging — aren’t very concerned about the sanctity of your personal data and money. Mathias Dalheimer raised this issue at the thirty-fourth Chaos Communication Congress, in his talk about the vulnerabilities of the electric car infrastructure.
How the charging actually works
As the number of electric cars grows, so does the number of charging stations, where station providers receive money in exchange for providing energy. For those transactions, they need a built-in billing system. Before you can start charging your car, you need to identify yourself using your charging ID token, a special near-field-communication (NFC) card that is associated with your account.
The billing for electro mobility is normally carried out using the Open Charge Point Protocol, which regulates communications between billing management systems on one end and the electric charging point on the other end. The charging point sends a request identifying you to the billing system; billing management approves the request and lets the charging point know; and the station lets you start charging. Afterwards, the amount of electricity is calculated and sent back to the billing management system so that it can bill you at the end of the month.
Nothing surprising or even really new there, right? Well, let’s take a closer look and see where the problems begin.
Problems, problems everywhere
Dalheimer probed different components of the system and found that all of them had some problems with security. The first is the ID tokens. They are made by third-party providers and — surprise! — most of them do not secure your data. They are very simple NFC cards that do not encrypt your ID or anything else they contain. The cards’ problems continue. First, they’re pretty easy to program, which Mathias demonstrated by copying his own card and successfully charging with the copy. It would be easy for a knowledgeable person to program a bunch of cards, hoping to hit on a working account number. (Mathias didn’t try that, citing ethical reasons.)
Because charging providers bill once per month, if a car owner’s account is compromised in that way, they won’t see that anything is amiss until the monthly bill arrives.
Another shady thing about the procedure: Most stations use the 2012 version of the OCPP protocol, which is already relatively old and is based on HTTP. (We all know what’s wrong with HTTP, which uses no encryption for transactions.) Mathias demonstrated how easy it is to set up a man-in-the-middle attack by relaying the transaction.
Moreover, both stations that Mathias examined had USB ports. Plug in an empty flash drive – and logs and configuration data will be copied to the drive. From this data, it’s easy to get the login and the password for the OCPP server and, for good measure, the token numbers of previous users — which, remember, is all you need to imitate them.
Even worse, if the data on the drive is modified and then the USB drive is inserted back into the charging point, the charging point will automatically update from it and consider the data on the drive its new configuration. And that opens a whole lot of new possibilities to the hackers.
To sum up, criminals can: collect ID card numbers, imitate them and use them for transactions (for which the real account holders will have to pay); rewire charging requests, basically disabling the charging point; gain root access to the station and then do whatever they like. All because providers chose not to care about security.