HQ/EMEAFind out how we can help your business
Researchers discovered a flaw within the electric vehicle (EV) charging management system that hackers could use to steal energy or sensitive information.
According to investigations, the security vulnerabilities are connected to the communications between the EV charge point and the charging system management service. Hence, the use of the Open Charge Port Protocol is severely affected by this flaw.
The researchers confirmed that the weakness could impact numerous vendors’ CSM services.
Based on reports, the issue is related to the application of WebSocket communication by the OCPP and how it mismanages multiple connections. The command does not know how to manage more than one charge point connection at a time.
This data could allow the actors to abuse it by opening a new connection to the CSM service.
The OCPP on the EV charging management system could also be prone to exploitation.
Another issue within the EV charging management system is the weak OCPP authentication and chargers’ identities policy.
An attacker could prompt the original connection to close or become nonfunctional by opening a new link to the charging system management service on behalf of a charge point.
The researchers explained that an adversary could abuse the flaws to deploy a DDoS attack that disrupts the electric vehicle supply equipment network. Furthermore, a threat actor could connect to the charging system management service, allowing them to acquire troves of data such as drivers’ details, payment card data, and server credentials.
In other configurations, once a charger approves an unknown driver’s identity, the attacker may be able to charge their electric vehicle without paying for it. However, a hacker must first acquire a charger’s identity to initiate the power theft attack.
The driver identity commonly has a standard structure, making it more straightforward for attackers to identify the values of valid identifiers. Next, they need to get information on which CSM service platform the charger connects to.
This info would allow them to use the targeted driver’s identity to charge their vehicle for free.
Electric vehicles have become the next innovation for transportation. Unfortunately, threats are always lingering and finding ways to take advantage of these entities.
