Feeds

'Leccy-stealing, grid-crippling hackers could TAKE DOWN EV-juicing systems

A computer on the street. What could possibly go wrong?

High performance access to file storage

Hack in the Box Hackers may soon starting abusing electric car charger systems to cripple the electricity grid or as part of money-making scams, a security researcher warns.

Ofer Shezaf, product manager security solutions at HP ArcSight, told delegates at the Hack in the Box conference in Amsterdam that if the industry fails to start securing its systems, it will be setting itself up for a major headache a few years down the line.

Both electric cars and EV charging systems are still in their early stages of development and far from widely used. But early systems are hopelessly insecure, the security researcher argues, and if thought isn't put into designing and applying a secure architecture now, we'll be dealing with an intractable and expensive problem 10 years down the line - when the technology goes mainstream.

Shezaf's presentation Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars explains that charging stations are essentially "computer on the street", featuring embedded RFID readers and connections to other local systems to manage capacity in a local area and avoid overloading the grid.

Shezaf argued that the whole system is weakly authenticated and secured, and might easily be physically tampered with in order to run local denial of service attacks (preventing chargers in an area from working) or to steal either electricity or money. Fortunately the technology exists to thwart such attacks, as an abstract to Shezaf's talk explains.

The vision of electric cars call for charge stations to perform smart charging as part of a global smart grid. As a result, a charge station is a sophisticated computer that communicates with the electric grid on one side and the car on the other.

To make matters worse, it’s installed outside on street corners and in parking lots. Electric vehicle charging stations bring with them new security challenges that show similar issues as found in SCADA systems, even if they use different technologies.

In this presentation, we will understand what charge stations really are, why they have to be "smart" and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety. We will discuss charge station architecture and functionality to identify potential weak spots, and will explore theoretical and real world vulnerabilities in these systems.

In addition subsystems such as the car to charge station protocol, the embedded RFID reader, the electrical circuits and maintenance back doors will also be discussed. Lastly we will talk about potential solutions such as new key provisioning algorithms and limited authorisation schemes.

Shezaf based his research on public sources such as documentation from vendors' websites, but said hackers could go further - especially if they can physically get hold of equipment, take it apart and look for weaknesses by debugging the software, using fuzzing or other techniques.

He said miscreants could easily dismantle systems, either stolen off the street or purchased through auction sites, to determine its components and extract firmware. This firmware could be analysed and debugged to determine potential vulnerabilities, such as eavesdropping points, or to extract encryption keys (if present). Black hats might also attempt to look at the car/control centre protocol in order to identify vulnerabilities, he said.

Charging stations can be re-configured by opening them up, switching a manual switch into configuration mode, attaching a computer via the Ethenet port found on most charging stations and using it to gain access to the configuration environment. Hackers would find no need to break passwords or other break through other authentication measures to pull off this trick. "You go and open the box with a key and that is the last security measure you meet," Shezaf said, CSOonline reports.

Physically getting into systems may not even be needed. Some charging stations are outfitted with RS-485 short-range communications networks that are supplied without any in-built security. This opens the door to either eavesdropping and man-in-the-middle attacks.

A town called Malice

These security shortcomings collectively create the risk, small for now but more plausible and with greater impact in future, that hackers could mess with charging stations to the extent they became inoperable, a local denial of service attack. This could be achieved by planting malicious code in all the machines in a town centre that's programmed to become active at a certain time. Such denial of (charging/power) service attacks could be large-scale or targeted.

"If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really, really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he added.

Open standards for networking and authentication technologies need to be introduced into the industry sooner rather than later, Shezaf concluded.

Shezaf's complete presentation can be found here (PDF).

Problems in comparable systems have happened before, Shezaf points out. For example, Chicago's electronic parking meters were thrown into a meltdown for mystery reasons in May 2009.

In another case, a disgruntled former Texas car dealership employee used the internet to disable 100 cars. The vehicles had been equipped with an ignition interrupter that could be controlled over the internet. The Repo Man-style technology was designed to deny the use of cars to customers of the dealership who had fallen behind on their payments but the rogue former employee used passwords assigned to his co-workers in an act of revenge that got him into trouble with the police.

Other possible attacks might include stealing electricity (or money), using man-in-the-middle attacks to emulate control centres, meter spoofing, stealing value from pre-paid charging station cards or other techniques. The possibilities, at least, are extensive and smart meter hacking has been shown to be possible, according to a Black Hat presentation (PDF) dating back to 2009.

And the Boston subway hack (PDF) showed how stored value RFID cards in transport systems could be hacked.

Shezaf's wake-up call on car-charging systems insecurity is being taken seriously by other industry experts. Lila Kee, chief product and marketing officer of GlobalSign and board member of the North American Energy Standards Board member, however, said that progress is being made towards guarding against the possibility of hackers using electric car chargers to cripple the electric grid.

“While it is important to take security of the critical infrastructure seriously, it is equally important to emphasise the need to establish effective security standards and baselines, otherwise the thousands of interconnected entities making up the grid will be left to guess at how to best protect their respective sections," said Kee. "We all know that when it comes to cybersecurity, guessing is not much of a strategy. Luckily, we are beginning to see action being taken and progress being made."

She added: "When it comes to the electric grid, the North American Energy Standards Board (NAESB) has developed standards around the Public Key Infrastructure (PKI) for the energy sector that provides a spectrum of security that balances the cost, operational impact, and security measures needed based on the level of risk of breach.

“As a NAESB board member, I have seen firsthand how standards establishment and legislative intervention can help to improve security private overall. I encourage private industry, government and independent agencies to cooperate to solve cybersecurity problems,” Kee concluded. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.