Threat actors can remotely carry out DDoS and DoS attacks on vulnerable Electric Vehicle (EV) Charge Points (CPs) to cause service outages and access sensitive and personal information of customers.
According to recent studies, 5.8 percent of all vehicles sold in 2022 were electric. This is a big number considering how new the technology is. However, hackers are also keeping eye on these developments and any potential vulnerability related to electric vehicles or their charging stations can create havoc.
As per the Israeli EV infrastructure provider SaiFlow, cybercriminals can abuse Electric Vehicle (EV) Charge Point (CP) to prompt service disruption. According to their findings, threat actors can exploit different versions of OCPP (Open Charge Point Protocol), which use WebSocket communications.
Researchers Lionel Richard Saposnik, SaiFlow’s research VP, and Doron Porat, software engineer at the company, wrote that their discovered attack method is a combination of two new vulnerabilities found in the OCPP standard. The exploitation would allow hackers to shut down EV charging stations remotely.
Moreover, they can manipulate docking stations to recharge EVs for free. Multiple vendors have confirmed the flaws. The hacker must obtain the charger’s identity first and then obtain information about the CMSM platform to which the charger is connected.
What Causes the Issue?
The security flaws are related to the communication between the CSMS (charging system management service) and the EV charge point (CP), particularly with the OCPP. EV chargers are connected to a management system platform, which is available on the Cloud platform, and lets operators track the stability of the infrastructure, energy management, handling billing, and EV charge requests.
Basically, the protocol doesn’t understand how to handle more than one CP connection, and attackers abuse this by opening a new connection to the CSMS. When the attacker opens a new connection to the CSMS on behalf of the charge point, the attacker can force the original connection to be closed or dysfunctional. The other issue is related to weak OCPP authentication and chargers’ identities policy.
According to SaiFlow’s blog post, when the embedded vulnerability is exploited using the OCPP protocol, a hacker can hijack the connection between the charger and the management platform. When this access is acquired, the hacker can shut down the entire group of chargers using the protocol, whether installed at a highway gas station or at home.
Using other identifiers, they can steal energy from the chargers and access the vehicle’s surrounding components, such as battery management systems, smart meters, other energy managers, and even distributed energy resources.
SaiFlow’s CEO Ron Tiberg-Shachar revealed that when an attacker exploits the two flaws, they can launch a DoS attack to disrupt or disconnect a single charger and access sensitive information like server credentials or payment card data. Or, they can execute a DDoS attack and take down/disconnect all chargers connected to that network. The flaw affects OCPP 1.6J.
He further noted that although a fix is available, the EV industry is slow at applying the updates. SaiFlow is working with some leading EV charger providers to address the issue.