Feeds

'Leccy-stealing, grid-crippling hackers could TAKE DOWN EV-juicing systems

A computer on the street. What could possibly go wrong?

Beginner's guide to SSL certificates

Hack in the Box Hackers may soon starting abusing electric car charger systems to cripple the electricity grid or as part of money-making scams, a security researcher warns.

Ofer Shezaf, product manager security solutions at HP ArcSight, told delegates at the Hack in the Box conference in Amsterdam that if the industry fails to start securing its systems, it will be setting itself up for a major headache a few years down the line.

Both electric cars and EV charging systems are still in their early stages of development and far from widely used. But early systems are hopelessly insecure, the security researcher argues, and if thought isn't put into designing and applying a secure architecture now, we'll be dealing with an intractable and expensive problem 10 years down the line - when the technology goes mainstream.

Shezaf's presentation Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars explains that charging stations are essentially "computer on the street", featuring embedded RFID readers and connections to other local systems to manage capacity in a local area and avoid overloading the grid.

Shezaf argued that the whole system is weakly authenticated and secured, and might easily be physically tampered with in order to run local denial of service attacks (preventing chargers in an area from working) or to steal either electricity or money. Fortunately the technology exists to thwart such attacks, as an abstract to Shezaf's talk explains.

The vision of electric cars call for charge stations to perform smart charging as part of a global smart grid. As a result, a charge station is a sophisticated computer that communicates with the electric grid on one side and the car on the other.

To make matters worse, it’s installed outside on street corners and in parking lots. Electric vehicle charging stations bring with them new security challenges that show similar issues as found in SCADA systems, even if they use different technologies.

In this presentation, we will understand what charge stations really are, why they have to be "smart" and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety. We will discuss charge station architecture and functionality to identify potential weak spots, and will explore theoretical and real world vulnerabilities in these systems.

In addition subsystems such as the car to charge station protocol, the embedded RFID reader, the electrical circuits and maintenance back doors will also be discussed. Lastly we will talk about potential solutions such as new key provisioning algorithms and limited authorisation schemes.

Shezaf based his research on public sources such as documentation from vendors' websites, but said hackers could go further - especially if they can physically get hold of equipment, take it apart and look for weaknesses by debugging the software, using fuzzing or other techniques.

He said miscreants could easily dismantle systems, either stolen off the street or purchased through auction sites, to determine its components and extract firmware. This firmware could be analysed and debugged to determine potential vulnerabilities, such as eavesdropping points, or to extract encryption keys (if present). Black hats might also attempt to look at the car/control centre protocol in order to identify vulnerabilities, he said.

Charging stations can be re-configured by opening them up, switching a manual switch into configuration mode, attaching a computer via the Ethenet port found on most charging stations and using it to gain access to the configuration environment. Hackers would find no need to break passwords or other break through other authentication measures to pull off this trick. "You go and open the box with a key and that is the last security measure you meet," Shezaf said, CSOonline reports.

Physically getting into systems may not even be needed. Some charging stations are outfitted with RS-485 short-range communications networks that are supplied without any in-built security. This opens the door to either eavesdropping and man-in-the-middle attacks.

A town called Malice

These security shortcomings collectively create the risk, small for now but more plausible and with greater impact in future, that hackers could mess with charging stations to the extent they became inoperable, a local denial of service attack. This could be achieved by planting malicious code in all the machines in a town centre that's programmed to become active at a certain time. Such denial of (charging/power) service attacks could be large-scale or targeted.

"If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really, really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he added.

Open standards for networking and authentication technologies need to be introduced into the industry sooner rather than later, Shezaf concluded.

Shezaf's complete presentation can be found here (PDF).

Problems in comparable systems have happened before, Shezaf points out. For example, Chicago's electronic parking meters were thrown into a meltdown for mystery reasons in May 2009.

In another case, a disgruntled former Texas car dealership employee used the internet to disable 100 cars. The vehicles had been equipped with an ignition interrupter that could be controlled over the internet. The Repo Man-style technology was designed to deny the use of cars to customers of the dealership who had fallen behind on their payments but the rogue former employee used passwords assigned to his co-workers in an act of revenge that got him into trouble with the police.

Other possible attacks might include stealing electricity (or money), using man-in-the-middle attacks to emulate control centres, meter spoofing, stealing value from pre-paid charging station cards or other techniques. The possibilities, at least, are extensive and smart meter hacking has been shown to be possible, according to a Black Hat presentation (PDF) dating back to 2009.

And the Boston subway hack (PDF) showed how stored value RFID cards in transport systems could be hacked.

Shezaf's wake-up call on car-charging systems insecurity is being taken seriously by other industry experts. Lila Kee, chief product and marketing officer of GlobalSign and board member of the North American Energy Standards Board member, however, said that progress is being made towards guarding against the possibility of hackers using electric car chargers to cripple the electric grid.

“While it is important to take security of the critical infrastructure seriously, it is equally important to emphasise the need to establish effective security standards and baselines, otherwise the thousands of interconnected entities making up the grid will be left to guess at how to best protect their respective sections," said Kee. "We all know that when it comes to cybersecurity, guessing is not much of a strategy. Luckily, we are beginning to see action being taken and progress being made."

She added: "When it comes to the electric grid, the North American Energy Standards Board (NAESB) has developed standards around the Public Key Infrastructure (PKI) for the energy sector that provides a spectrum of security that balances the cost, operational impact, and security measures needed based on the level of risk of breach.

“As a NAESB board member, I have seen firsthand how standards establishment and legislative intervention can help to improve security private overall. I encourage private industry, government and independent agencies to cooperate to solve cybersecurity problems,” Kee concluded. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.