British security company discovers vulnerabilities in EV chargers

Researchers at cybersecurity company Pen Test Partners have discovered vulnerabilities in multiple EV chargers and platforms. Vulnerabilities were discovered in the APIs of some charging platforms that allowed accounts and charging points to be taken over.

According to Pen Test Partners, the vulnerabilities could allow electricity to be stolen and falsely charged to other accounts. Users can be prevented from charging electrically by malicious parties and the stability of the electricity grid can be endangered if hackers manage to activate or switch off charging points simultaneously.

Six manufacturers of EV chargers passed in review: Hypervolt, Rolec, EO Hub, EVBox, Wallbox and Project EV. These manufacturers are subsidized by the UK government, according to Pen Test Partners, and are also used on the European mainland.

The Project EV charger scored the worst in terms of security. With this charger, according to Pen Test Partners, it was not necessary to log in with the correct data. “The device assumed that all the parameters you entered were correct,” the company says. “On the basis of an easily traceable serial number, attackers can then gain access to the charger.”

The researchers reported their findings at Project EV, but they said they did not receive an answer. “It was only after journalists from the BBC were called in that the company took action to improve security measures and push a firmware update for the chargers.”

Pen Test Partners also discovered vulnerabilities in the APIs of the Wallbox, EO Hub and Hypervolt brands. In addition, the chargers of these brands used a built-in Raspberry Pi module and according to the company, data extraction by malicious parties can be done very easily. All vulnerabilities have been fixed, according to Pen Test Partners, although the company recommends better securing the Raspberry Pi modules that are still in use.

Update8:40 pm: Risk vulnerabilities clarified.