'Leccy-stealing, grid-crippling hackers could take down EV-juicing systems

Hack in the Box Hackers may soon starting abusing electric car charger systems to cripple the electricity grid or as part of money-making scams, a security researcher warns.

Ofer Shezaf, product manager security solutions at HP ArcSight, told delegates at the Hack in the Box conference in Amsterdam that if the industry fails to start securing its systems, it will be setting itself up for a major headache a few years down the line.

Both electric cars and EV charging systems are still in their early stages of development and far from widely used. But early systems are hopelessly insecure, the security researcher argues, and if thought isn't put into designing and applying a secure architecture now, we'll be dealing with an intractable and expensive problem 10 years down the line - when the technology goes mainstream.

Shezaf's presentation Who Can Hack a Plug? The Infosec Risks of Charging Electric Cars explains that charging stations are essentially "computer on the street", featuring embedded RFID readers and connections to other local systems to manage capacity in a local area and avoid overloading the grid.

Shezaf argued that the whole system is weakly authenticated and secured, and might easily be physically tampered with in order to run local denial of service attacks (preventing chargers in an area from working) or to steal either electricity or money. Fortunately the technology exists to thwart such attacks, as an abstract to Shezaf's talk explains.

The vision of electric cars call for charge stations to perform smart charging as part of a global smart grid. As a result, a charge station is a sophisticated computer that communicates with the electric grid on one side and the car on the other.

To make matters worse, it’s installed outside on street corners and in parking lots. Electric vehicle charging stations bring with them new security challenges that show similar issues as found in SCADA systems, even if they use different technologies.

In this presentation, we will understand what charge stations really are, why they have to be "smart" and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety. We will discuss charge station architecture and functionality to identify potential weak spots, and will explore theoretical and real world vulnerabilities in these systems.

In addition subsystems such as the car to charge station protocol, the embedded RFID reader, the electrical circuits and maintenance back doors will also be discussed. Lastly we will talk about potential solutions such as new key provisioning algorithms and limited authorisation schemes.

Shezaf based his research on public sources such as documentation from vendors' websites, but said hackers could go further - especially if they can physically get hold of equipment, take it apart and look for weaknesses by debugging the software, using fuzzing or other techniques.

He said miscreants could easily dismantle systems, either stolen off the street or purchased through auction sites, to determine its components and extract firmware. This firmware could be analysed and debugged to determine potential vulnerabilities, such as eavesdropping points, or to extract encryption keys (if present). Black hats might also attempt to look at the car/control centre protocol in order to identify vulnerabilities, he said.

Charging stations can be re-configured by opening them up, switching a manual switch into configuration mode, attaching a computer via the Ethenet port found on most charging stations and using it to gain access to the configuration environment. Hackers would find no need to break passwords or other break through other authentication measures to pull off this trick. "You go and open the box with a key and that is the last security measure you meet," Shezaf said, CSOonline reports.

Physically getting into systems may not even be needed. Some charging stations are outfitted with RS-485 short-range communications networks that are supplied without any in-built security. This opens the door to either eavesdropping and man-in-the-middle attacks.

A town called Malice

These security shortcomings collectively create the risk, small for now but more plausible and with greater impact in future, that hackers could mess with charging stations to the extent they became inoperable, a local denial of service attack. This could be achieved by planting malicious code in all the machines in a town centre that's programmed to become active at a certain time. Such denial of (charging/power) service attacks could be large-scale or targeted.

"If someone can prevent charging for everyone in a small area you have a major influence on life. In a larger area it might be a really, really big problem," Shezaf said.

"If somebody finds a way to confuse the smart car charging system, the denial of service can not only hit charging cars, but also the electricity system," he added.

Open standards for networking and authentication technologies need to be introduced into the industry sooner rather than later, Shezaf concluded.

Shezaf's complete presentation can be found here (PDF).

Problems in comparable systems have happened before, Shezaf points out. For example, Chicago's electronic parking meters were thrown into a meltdown for mystery reasons in May 2009.

In another case, a disgruntled former Texas car dealership employee used the internet to disable 100 cars. The vehicles had been equipped with an ignition interrupter that could be controlled over the internet. The Repo Man-style technology was designed to deny the use of cars to customers of the dealership who had fallen behind on their payments but the rogue former employee used passwords assigned to his co-workers in an act of revenge that got him into trouble with the police.

Other possible attacks might include stealing electricity (or money), using man-in-the-middle attacks to emulate control centres, meter spoofing, stealing value from pre-paid charging station cards or other techniques. The possibilities, at least, are extensive and smart meter hacking has been shown to be possible, according to a Black Hat presentation (PDF) dating back to 2009.

And the Boston subway hack (PDF) showed how stored value RFID cards in transport systems could be hacked.

Shezaf's wake-up call on car-charging systems insecurity is being taken seriously by other industry experts. Lila Kee, chief product and marketing officer of GlobalSign and board member of the North American Energy Standards Board member, however, said that progress is being made towards guarding against the possibility of hackers using electric car chargers to cripple the electric grid.

“While it is important to take security of the critical infrastructure seriously, it is equally important to emphasise the need to establish effective security standards and baselines, otherwise the thousands of interconnected entities making up the grid will be left to guess at how to best protect their respective sections," said Kee. "We all know that when it comes to cybersecurity, guessing is not much of a strategy. Luckily, we are beginning to see action being taken and progress being made."

She added: "When it comes to the electric grid, the North American Energy Standards Board (NAESB) has developed standards around the Public Key Infrastructure (PKI) for the energy sector that provides a spectrum of security that balances the cost, operational impact, and security measures needed based on the level of risk of breach.

“As a NAESB board member, I have seen firsthand how standards establishment and legislative intervention can help to improve security private overall. I encourage private industry, government and independent agencies to cooperate to solve cybersecurity problems,” Kee concluded. ®