Two new security vulnerabilities discovered in some electric vehicle (EV) charging systems can be exploited to remotely shut down charging stations and even expose them to data and energy theft.
Research from Israel-based SaiFlow once again demonstrates the potential risks facing EV charging infrastructure.
This issue has been identified in version 1.6J of the Open Charge Point Protocol (OCPP) standard, which uses WebSockets for communication between EV charging stations and Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1.
“The OCPP standard does not define how the CSMS accepts new connections from charging points when there are already active connections,” said SaiFlow researchers Lionel Richard Saposnik and Doron Porat. increase.
“With no clear guidelines for multiple active connections, attackers can sabotage and hijack connections between charging points and CSMS.”
This can also allow a cyber attacker to spoof a valid charger-to-CSMS provider connection if it is already connected, effectively leading to one of two scenarios: means
- A denial of service (DoS) condition that occurs when the CSMS provider closes the original WebSocket connection when a new connection is established
- Information theft resulting from maintaining two connections while replying back to a “new” rogue connection, giving an adversary access to the driver’s personal data, credit card details, and CSMS credentials.
Forgery is possible because the CSMS provider is configured to rely solely on the charging point ID for authentication.
“Combining weak OCPP authentication and incorrect handling of new connections with charger identity policies can lead to large-scale distributed DoS (DDoS) attacks. [Electric Vehicle Supply Equipment] network,” said the researchers.
OCPP 2.0.1 fixes the weak authentication policy and closes the loophole by requiring charging point credentials. That said, SaiFlow says the mitigation for multiple connections from a single charging point is to send a ping or heartbeat request to verify connectivity.
“If one of the connections does not respond, the CSMS should drop it,” the researchers explained. “If both connections are responsive, the operator should be able to eliminate the malicious connection either directly or through the cybersecurity module integrated into the CSMS.”
