24-08-2021 | | By Robin Mitchell
Recently, security researchers discovered security flaws in two separate EV chargers that allowed for disconnection of power and grant access to the home network. Why do IoT devices provide challenges to security systems, what exactly did the researchers find, and is integrating intelligent systems into basic devices a good idea?
Ensuring the security of home networks has never been more critical now that modern life is entirely reliant on internet technologies. Initially, the internet was a source of information with limited capabilities meaning that attackers could do little. Now that almost all services are found online, including banking, personal information, and purchases, attackers will do anything they can to get this information. The beauty of the internet is that they can do all of this from their own home.
Securing home networks can ensure that devices follow basic security precautions such as strong passwords, but the increasing number of internet-enabled devices makes this a more challenging task. Furthermore, the need to edit security policies on devices and make complex changes can be far too complicated for the average user meaning that most are often vulnerable to attack.
Because of this, manufacturers will often integrate update systems for their products to fix bugs and security flaws when they are discovered. This is why ensuring that devices are up-to-date is one of the pillars of security, and putting updates off is one of the prominent exploits that cybercriminals take advantage of.
Recently, security experts at Pen Test Partners discovered vulnerabilities in two different EV chargers. The two chargers, Wallbox and Project EV, are both approved for sale in the UK and are internet-enabled with the ability to connect to smartphone apps.
In the case of the Wallbox charger, an attacker could theoretically gain entry to the charger itself, prevent the authorised user from charging their vehicle, and then use the charger for the attacker. This would provide the attacker with a free charge on their vehicle. In the case of Project EV, the researchers reported that their backend (i.e. server) security was basic, meaning that an attacker could easily authenticate themselves to an administrating level, thereby gaining complete control of devices via a firmware update.
The researchers also noted that the ability for both chargers to access Wi-Fi meant that an attacker can also gain entry to a home network. From there, the main router in a home can be hacked via default passwords (which are rarely changed) and thus control the entire home network. Possessing a home's router is particularly dangerous as all traffic can be routed to the attacker, who can then create false websites for banking and other related services to steal information.
While both companies have issued updates to fix the discovered flaws, the Wallbox design perfectly demonstrates why single board computers are not designed for commercial use. Inside the Wallbox charger is a Raspberry Pi compute module which essentially controls the entire system. While Raspberry Pi systems are great for coding and prototyping, they are absolutely inappropriate for any design requiring some security level. One of the main reasons for this is that the Raspberry Pi is specifically designed to be a development platform with a strong community where hacking is encouraged both in software and hardware.
The purpose of an EV charger is to charge an electric vehicle, and yet there seems to be a craze to connect everything to the internet. It makes sense to connect some devices such as door alarms and blind controls to a network to be controlled remotely, but is there a real need to connect a charger to the internet?
As more devices are connected to the internet, the number of attack vectors for cybercriminals increases. The use of different manufacturers also increases the likelihood of security flaws as each manufacturer will have other design methods. This leads us to whether we should continue integrating technology into everyday items, and is it entirely necessary?