In a whitepaper published recently, the experts inspected the security systems of several car charger brands, trying to figure out if bad actors can breach them and eventually obtain remote access.
Two brands, namely Wallbox and Project EV, proved to be the most vulnerable, with the researchers discovering that in some cases, a more sophisticated attack would have allowed a hacker to access the Wi-Fi network and then eventually monitor traffic or even break into other devices.
In other words, a malicious actor would have been capable of taking control of a car charger and then infiltrate your home by hacking the rest of the network the device was connected to.
The study shows that millions of smart EV chargers were vulnerable, and one brand used no authorization at all, which means a hacker would have needed only a couple of seconds to access a certain device remotely. The same brand used no firmware signing, so a malicious actor would have been able to send crafted software to pave the way for other attacks through the same network.
Needless to say, getting remote access to a car charger means the attacker obtained full control over it, not only to disconnect the car but also to remove the owner’s access.
The good news is that Pen Test Partners has already reached out to the manufacturers of the chargers and all API flaws have been remediated, so customers are now strongly recommended to update their software as soon as possible.
In the case of some chargers, the experts explain that with physical access to the charger, a hacker could still break into the software given it relies on Raspberry Pi hardware, but the likelihood of such an attack is obviously very low.