Pulse Energy is a start-up based out of Bangalore that offers an energy-as-a-service API for EV charging. They predominantly cater to fleet operators and help their vehicles get access to multiple EV charging networks. In this article, Akhil Jp from Pulse Energy shares the cybersecurity concerns they have noticed in this space over the last two years and recommends the best practices that Charge Point Operators (CPOs) should follow to create a secure charging ecosystem.
Security breaches in EV charging ecosystem
In our estimate, 70% of DC chargers in India are insecure. The main security breaches we observed in the India EV charging ecosystem are:
- Insecure Connections between charger and CMS servers: Many of the deployed chargers have insecure connections with the cloud CMS servers. Most of them have a normal web socket connection for communicating with the server.
- Non-TLS compliant hardware: In many instances, the charger hardware does not support an SSL connection or a TLS connection. In such cases, the data exchange ends up happening in plain text over websockets running on top of HTTP.
- Unlocked charger cabinets and static admin OTPs: Charger cabinets are often unlocked for easy troubleshooting or poor 4 or 6 digit OTPs are configured to access the admin settings of the charger. This enables a malicious user to access the LAN port of the charger control unit to extract information or place interceptors.
Potential threats due to unsecure networks
Today, it is potentially possible for one to snoop into the traffic between the charger and the server.
Here is the typical and simplified form of an EV charging network, where green dots represent the EV, light orange represents the user information such as payments and user credentials, dark orange boxes represent the charger management system, and the blue dots represent the charger.
Image source: Pulse Energy
In the majority of cases, the communication link between the charger and the CMS today is insecure. If we take a basic charging setup, every charger has a LAN cable that runs all the way to the modem or the communication module. In case of an insecure system, one could place an interceptor and start capturing traffic. The interceptor can easily be built by taking a Raspberry pi and placing it between the charger and modem. A simple Nginx reverse proxy server with websockets enabled can do the trick. It is not even expensive to build one and can be done for INR 2,000 to 3,000. Most of the cabinets in public charging areas are not locked; someone can open them and place these hardware interceptors. If you are a CPO, make sure that you talk to your charger OEMs about enabling TLS or secure websockets, so such threats can be avoided.
Image source: Pulse Energy
Many charger manufacturers do not support secure communication, although there are some who do and some who are working towards enabling it. Our attempts to promote secure communication are sometimes met with resistance from these manufacturers, as their hardware does not accommodate it.
Below are a few examples of how these vulnerabilities can be exploited.
- Some CPOs support starting your charging sessions using the NFC chips on your credit cards instead of regular RFID cards, i.e. you tap your credit card on the charger and start charging. The information captured from the card is sent to the server for card authorization (like an Authorize.req message). If the communication link is insecure, an interceptor placed in between the charger and the modem can read the card information. Reference
- The second example is from Europe – It’s related to how vulnerable OCPP Autocharge can be if you have an insecure OCPP communication link setup. Auto-charge is a mechanism where you plug the vehicle in, the vehicle advertises its MAC ID, and the charger sends it upstream to the CMS to authorise the user (if not found in the charger’s local list). If the user is authorised, the car starts charging. If one has an interceptor, they can intercept the MAC ID. Malicious actors can spoof this ID to charge an attacker’s vehicle and bill the victim for the energy consumed.
Recommended best practices for CPOs
Every CPO is trying to enable easy charging access through their mobile app or website. I am sharing a few basic best practices that can be implemented with low effort.
Image source: Pulse Energy
Certificate pinning – If you have an EV charging app, make sure that you do certificate pinning. This is a process of ensuring that your app only speaks to your server, as it will only trust the certificate that your server provides. You can pin the root certificate in case you want to avoid having to update your app every time your domain certificate gets rotated. Certificate pinning helps secure the system from a man-in-the-middle attack.
Enable secure websockets (TLS) – Ask your charger OEM to start supporting secure websockets. Getting CMS vendors to enable TLS is easy, but it’s not worth it if your hardware does not support it. This can prevent MITM (Man In The Middle) attacks between the charger and the cloud server.
Obfuscation – Enable code obfuscation within your EV charging app. Reverse engineering mobile apps are easy these days, poor security can lead to leakage of hardcoded secrets and payment gateway keys. It is possible that one can reconstruct entire API requests and figure out what keys are used for those APIs.
No hard coding keys – There are applications and websites out there that have hardcoded keys with which you can start and stop charging sessions using. One needs to actively avoid doing that.
Over the last couple of years, the Indian EV Charging industry has been rapidly growing, and everyone has been trying to keep up. However, we have now reached an inflection point where we need to focus on strengthening our systems. This applies to us too, Pulse Energy is not perfect either. We have a long way to go and each of have to take trade offs. However, It is crucial for every developer working in this field to be well-informed about security measures and to prioritize making their chargers and cloud interfaces more secure.
This article was first published in EVreporter July 2023 magazine.
Subscribe today for free and stay on top of latest developments in EV domain.