Two new security vulnerabilities uncovered in several electric vehicle (EV) charging systems could be used to remotely shut down charging stations, potentially exposing them to data and energy theft.
The findings, from Israel-based SaiFlow, highlight the potential vulnerabilities that the EV charging infrastructure faces.
The flaws were discovered in Open Charge Point Protocol (OCPP) version 1.6J, which employs WebSockets for communication between EV charging stations and Charging Station Management System (CSMS) providers. OCPP’s current version is 2.0.1.
“The OCPP standard does not describe how a CSMS should accept new connections from a charge station when an active connection already exists,” explained SaiFlow researchers Lionel Richard Saposnik and Doron Porat.
“Attackers can use the lack of a defined guideline for numerous active connections to interrupt and hijack the connection between the charging point and the CSMS.”
This also implies that a cyber attacker might spoof a connection from a valid charger to its CSMS provider when it is already connected, resulting in one of two outcomes:
When the CSMS provider shuts the original WebSocket connection and a new connection is formed, a denial-of-service (DoS) scenario arises.
Information theft caused by keeping the two connections active but providing responses to the “new” rogue connection, allowing the attacker access to the driver’s personal data, credit card information, and CSMS credentials.
Because CSMS providers are designed to rely entirely on charging point identification for authentication, forging is possible.
“The mismanagement of new connections, along with the weak OCPP authentication and chargers identities policy, could result in a massive Distributed DoS (DDoS) attack on the [Electric Vehicle Supply Equipment] network,” the researchers report.
OCPP 2.0.1 closes the gap in the weak authentication policy by requiring charging point credentials. However, mitigations for when there are several connections from a single charging point should require authenticating the connections by sending a ping or a heartbeat request, according to SaiFlow.
“If one of the links is inactive, the CSMS should remove it,” the researchers added. “If both connections are operational, the operator should be able to terminate the malicious connection either directly or through a CSMS-integrated cybersecurity module.”
Info source – The Hacker News