Three Dutch ethical hackers from Computest Security, Daan Keuper, Thijs Alkemade and Khaled Nassar, have found several vulnerabilities in three American-made charging stations.

The hackers’ findings were presented during the prestigious PwnOwn Automotive hacking competition, part of the Automotive World conference in Tokyo. They showed that posts from various suppliers can be acquired relatively easily via Bluetooth without having to have access to user data. The team of hackers earned $67,500 by discovering the vulnerabilities.

“The relative ease with which we were able to access the charging stations shows that security was not a factor in the design of the stations,” says Daan Keuper, Head of Security Research at Computest Security. “These are obvious vulnerabilities that a manufacturer could have discovered by carrying out a security test. The fact that this has been omitted shows that devices that are connected online, such as charging stations, are lagging behind in terms of security and that there is still a lot of profit to be made here.”

The hacking competition, which was organized during the Automotive World conference in Tokyo, is mainly focused on products and platforms related to electric cars. In addition to charging stations, infotainment systems and operating systems are also part of the competition. Because the electric vehicle fleet is growing rapidly and cars are becoming more connected, the possibilities for hacking parts are also increasing. For example, mobile apps, Bluetooth connections and the Open Charge Point Protocol can allow malicious parties to cause damage to the cars. Furthermore, access to the charging station can be a way to gain access to other IoT applications used in and around homes.

For the competition, the Computest Security team examined four charging stations for home use. These can be used on 110 volt networks. Vulnerabilities were found in three of the charging stations, the ChargePoint Home Flex, the Autel MaxiCharger and the Juicebox 40. More than 200 million charging stations have already been sold of the Chargepoint Home Flex. Each of the charging stations was accessible via the same type of vulnerability that allows hackers to take control of the system and, for example, switch it on or off.

The fourth charging station for which no vulnerability was found used the Amazon IoT cloud platform for the connectivity of the station and the associated app. This ensures that the basic functions required for the IoT equipment are facilitated by Amazon. Security is then already guaranteed. The other charging stations use self-designed systems where security is apparently not included as standard.

The Computest Security team previously hacked the infotainment system used in various models of the Volkswagen Auto Group. According to Keuper, the hack of the charging stations is not an isolated incident, but is illustrative of the limited attention to security within the automotive industry. “In the Netherlands we periodically see reports about the insecurity of charging infrastructure, cloning charging cards has also been a known problem for years that has still not been solved.”

Keuper therefore advocates standardization of systems and enforcement of security guidelines such as the European Cyber Resilience Act and NIS2. “We must prevent security from simply becoming a compliance issue, as this often makes organizations less open and makes it less possible for people to learn from each other. Ensuring security should be a matter of intrinsic motivation,” says Keuper.