Over the last 18 months, we’ve been investigating the security of smart electric vehicle chargers. These allow the owner to remotely monitor and manage the charge state, speed and timing of their car charger, among many functions. We bought 6 different brands of chargers and also reviewed security of some public charging networks.
The mobile apps all communicate with the charger via an API and cloud-based platform, with the chargers usually connected to the users home Wi-Fi network.
TL;DR
- We found vulnerabilities that allowed account hijack of millions of smart EV chargers
- Several EV charger platforms had API authorisation issues, allowing account takeover and remote control of all chargers
- One platform had no authorisation at all: knowing a short, predictable device ID allowed full remote control of the charger
- The same charger had no firmware signing, allowed new f/w to be pushed remotely and the charger used as a pivot on to the home network
- One public charging platform exposed an unauthenticated GraphQL endpoint that we believe also exposed all user and charger data
- Some EV chargers were built on a Raspberry Pi compute module, which could allow an easy extraction of all stored data, including credentials and the Wi-Fi PSK
- As one could potentially switch all chargers on and off synchronously, there is potential to cause stability problems for the power grid, owing to the large swings in power demand as reserve capacity struggles to maintain grid frequency
All API and hardware vulnerabilities were successfully disclosed to the vendors involved. All API flaws were remediated, though one vendor only responded and took action once we had involved a trusted journalist.
The Raspberry Pi hardware issues remain, however the risk of compromise seems low, given the need for physical access to the charger. As a precaution, one could disconnect the charger from home W-Fi and change the PSK. Another option may be to glue the faceplate of the charger to the rear, though this seems a little extreme.
