EV Charging Station Vulnerability

Anyone else read this article about the bug in a Schneider product?

At its worst, an attacker can force a plugged-in vehicle to stop charging

At its best, an attacker can give away power for free.

That’s basically it. A hardcoded password meant the power could be disabled, although really that means it could be enabled again too. Breaking news: a switch installed in public places could be switched without special switching authorization.

It’s kind of like those air pumps at gas stations that say you need to insert $0.25 when really you just have to push the button, or at least yell at the person in the station booth “hey I need some air here, enable the button so I can push it” and you get air for free.

Breaking news: I got some air for my tires without inserting a quarter. Someone call TechCrunch journalists.

Seriously though, it would be news if someone actually had to pay for a plugged-in tire to start filling.

If a gas station owner insists that you have to pay for air even after you’ve used the pump, stand your ground. If that doesn’t work, here’s the form to report the station to state officials.

That’s right, and speaking of denial of service…an attacker could even run off with a gasoline pump hose (they have safety release mechanisms) or an air hose. Such a brazen attack would leave cars that have tires and gas tanks without services when they pull into a station.

Fuel host disconnects do happen fairly often, by the way. So often there are even videos and lots of news stories about why and where it happens (protip: bad weather is correlated):

And yet TechCrunch wants us to be scared of EV cables being disconnected:

…unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.

Safety first, amiright? Design a breakaway and attackers can walk away with the cable…for safety.

Such a “vulnerability story” as this EV one by TechCrunch makes me imagine a world where the ranking of stories has a CVSS score attached…a world where “news” like this can theoretically never rise above stories with a severity actually worth thinking about.

An attacker could disable or enable a charging point, where charging status is something easily monitored and on a near-continuous basis. Did your car just stop charging? It’s something you and the provider ought to know in the regular course of using a power plug.

This ranks about as low as you can go in terms of security story value…yet a journalist dedicated a whole page to discuss how a public power-plug can be turned on and off without strong authentication.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.