Power jacking your station: In-depth security analysis of electric vehicle charging station management systems

Abstract

The demand for Electric Vehicles (EVs) has been exponentially increasing, and to achieve sustainable growth, the industry dictated rapid development of the supporting infrastructure. This requires building a reliable EV charging ecosystem that serves customer demands while ensuring the security of the Internet-enabled systems and the connected critical infrastructure against possible cyber attacks. To this end, we devise a system lookup and collection approach to obtain a representative sample of widely deployed EV Charging Station Management Systems (EVCSMS). Furthermore, we leverage reverse engineering and penetration testing techniques to perform a first-of-a-kind comprehensive security and vulnerability analysis of the identified EVCSMS and their software/firmware implementations. Indeed, our systematic analysis unveils an array of vulnerabilities, which demonstrate the insecurity of the EVCSMS against remote cyber attacks. Considering the feasibility of such attacks, we discuss attack implications against the EV charging stations (EVCS) and their users. More importantly, we simulate the impact of practical cyber attack scenarios against the power grid, which result in possible service disruption and failure in the grid. Finally, while we recommend mitigation measures, our discoveries raise concerns about the lack of adequate security considerations in the design of the deployed EVCS, which will motivate vendors to take immediate action to patch their developed systems. Indeed, our communication with the concerned parties resulted in positive responses from some vendors such as Schneider Electric, who acknowledged our findings by reserving 12 CVEs, respectively.