EV charging infrastructure is becoming more and more prevalent in our society. To manage aspects such as configuration, payment and power management, public charging stations are almost always connected to the internet. While this connectivity facilitates the management and configuration of charging stations, it also introduces cyber security risks. A large-scale cyber-attack on EV charging stations could even enable an attacker to destabilize the power grid and cause blackouts.
A security-conscious charging point operator (CPO) will, of course, ensure that charging stations cannot be accessed directly from the internet by securing them within a private network. However, access to this private network is in many cases not even required to access internal services of the charging station. During Hardwear.io, a cyber security conference focused around hardware devices, ElaadNL demonstrated that a charging station’s internal services can often be accessed over the charging cable, effectively circumventing all network protection implemented by CPOs. This vulnerability allows for a direct cyber-attack on charging stations without requiring access to a CPO’s private network.
You might not realize this when connecting an EV to a charging station, but the process of charging your EV is far more complex than refueling a combustion engine vehicle. This is especially true for DC (fast) charging stations, where complex communication occurs between the EV and the charging station to negotiate aspects such as payment method and charging parameters, like the charging voltage. This communication takes place using the Ethernet protocol, the same protocol your computer uses to communicate with the internet.
Once a connection is set up between the EV and the charging station, both are assigned a unique IPv6 address. As the name suggests, an IPv6 address is used to direct traffic to a specific destination, in this case, either the EV or the charging station. You could compare this to writing a home address on an envelope when sending a letter.
Once data is sent to a specific device, the device also needs to know which program or service to send this traffic to. This is where ports come in. While a device typically has a single IP address (to simplify), it has multiple ports. You could compare this to writing a specific person’s name on an envelope when sending a letter to a household—ensuring the letter reaches the right individual inside the home. All standard charging communication takes place on a designated set of ports, which are selected at the beginning of the communication process.
So, what happens if we try to access ports on the charging station other than the one used for normal communication via the charging cable? Ideally, one would expect the charging station to ignore traffic on any of these other ports, since they aren’t necessary for communication with the EV. But does this happen in practice?
To investigate this, we developed a device that can simulate an EV. When the charging station is connected to this device, the EV simulator and the charging station initiate a charging session, setting up the communication as described earlier. After this, we can use the IPv6 address designated to the charging station to send traffic to other ports via the EV simulator and observe whether the charging station responds.
We applied the methodology described above to test most of the charging stations available at ElaadNL that support this type of complex communication. In total, we have investigated 18 different models of DC (fast) charging stations, and 1 AC charging station, manufactured by 13 different manufacturers. In over half of these charging stations, 10 to be exact, we found services accessible via the charging cable that should not be.
In most cases, this was a service that can be used by the manufacturer to manage the charging station (SSH). If this service uses an insecure password, an attacker can gain full control of the charging station by attempting multiple passwords until the correct one is found.
Additionally, we discovered that on two charging stations, the web configuration interface that can be used by CPOs to configure the charging station was also accessible via the charging cable. Although this interface requires a password, an attacker could bypass it by exploiting vulnerabilities in the web interface or brute-forcing the password. This would allow the attacker to effectively take over the charging station.
You might wonder, what can an attacker achieve with the access described above? And is my charging station at home also vulnerable to this?
To reassure you on the latter point, no, this vulnerability likely does not affect your AC charging station at home. Currently, very few AC charging stations support this level of complex communication. However, as adoption of features like Vehicle-to-Grid (V2G) and Plug-and-Charger (PnC) will increase in AC charging stations, this will likely change in the future.
For now, this vulnerability primarily affects DC (fast) charging stations, which are also widely used. An attacker could use this vulnerability to gain initial access to the charging station. From there, an attacker could launch attacks on the backend infrastructure of the CPO or interfere with the operation of the charging station itself. By overwriting power settings, or orchestrating a coordinated halt of charging sessions, the attacker could even destabilize the power grid, potentially causing blackouts. Furthermore, one could envision a scenario where malicious cars infect charging stations while charging, spreading the attack further.
We have reported all our findings to the affected manufacturers we investigated. Furthermore, we are trying to raise awareness that this is an issue charging station manufacturers need to be mindful of. This vulnerability is the result of a simple configuration error by the manufacturer, likely caused by a lack of awareness of this specific attack vector. We also invite any charging station manufacturers to have their charging station tested at ElaadNL and recommend conducting a thorough cyber security pentest on the charging station.
You can read more about the technical aspects of this attack and the specific results of our investigation in this technical deep-dive blog.