EV Hacking: This Is How Easy It Is to Sabotage the Power Grid | WSJ

[electruck]

An interesting piece from WSJ:

Sponsored

 

[BigSkies]

These types of vulnerabilities are prevalent in anything internet connected. I don't see EV's as more or less vulnerable than anything else.

There's also a difference between what exploits a hacker will practically exploit and what exploits are hypothetically possible.

Do I think there will be some crazy hack of EV chargers to take down the grid? Maybe if war breaks out and we're dealing with nation-state actors. Otherwise it's doubtful.

Do I think a hacker will open a physical L2 charger on the side of my house to replace a chip and steal my passwords? No.

Do I think an EV charger software exploit will be used to bulk-steal passwords and turn them into bitcoin mining rigs? It's probably already happening.

Use a password manager, keep good password hygiene, and don't take the WSJ too seriously when it comes to anything EV related.

 

[electruck]

I don't at all see this as fear-mongering or a WSJ hit piece on EVs. This article is really more of a prod at manufacturers to step up their cyber game.

I agree, the level of vulnerability is on par with anything else internet connected. And if my home charger were outside, I would be more concerned with people stealing my electricity or the cables for their copper wiring than stealing my network secrets. Yes, as a consumer, we should follow good cyber practices. But for manufacturers, Cybersecurity is much like Accessibility, it is most effective when baked in from the get-go. The problem is, many companies have technical competency in their core field but neglect to develop competencies in areas such as Cybersecurity and Accessibility (Rivian is a prime example of a company that largely fails on the Accessibility front, hopefully they are better positioned on the Cyber front).

What is novel about EVs and charging infrastructure is the potential magnitude of certain exploits. As someone who works in Cybersecurity, I will say that an ounce of prevention is most certainly worth far more than a pound of cure. And absolutely do not underestimate the threat from nation-state actors.

 

[Proxy]

If the grid goes down gas stations can’t pump gas. So EVs could actually cause the downfall of gas and diesel vehicles!
Note: the above is meant to be funny and not a political nor newsworthy statement.

 

[Cosmacelf]

Gawd that guy being interviewed is fear mongering to increase his sales.

I mean really. Hacking into a hardware device to grab a WiFi password is a lot of work. And then he says "which could lead to getting your bank account password". No, it wouldn't. That's the entire effing point of browser based security and computer based firewalls. Eavesdropping on a WiFi network a) only gives you network traffic from that access point and if your PC is Ethernet connected, you get nothing and b) bank passwords are encrypted at the PC itself before it leaves the PC via WiFi so all an attacker would see is a highly encrypted byte stream which is useless.

But yes, the other vulnerabilities they showed were indeed alarming. I know for sure my pool controller is wide open to such outside hacking since it has awful security design.

As others have said, this is all applicable to ALL IOT devices.

 

[Electrified Outdoors]

Its not that much of a story. The charger they are talking about is from 2018. Its 2024 so 6 years ago. Why not test the most popular units like EnelX, ChargePoint Home, Tesla Wall Connector? In order for something to be a threat there have to be enough of them connected to cause a problem. Also, it makes a lot of assumptions. The cars all have to be plugged in, and they all have to be below their charge limit.

This would usually be overnight but the cars would already be charging anyway or if they are not they would already be at their charge limit. Telling people to use dumb chargers is not good advice. Also, what personal data is stored on the charger? The WiFi password and your charging history?

If your concerned about your devices put the charger on the guest network where you have AP isolation (it can't talk to other devices on the wifi only the router and internet). If your really crazy about security, setup a VLAN for your IOT devices and isolate them from everything else.

Its a lot of alarm about something fairly unlikely IMO.

 

[Robin]

?

These types of vulnerabilities are prevalent in anything internet connected. I don't see EV's as more or less vulnerable than anything else.

There's also a difference between what exploits a hacker will practically exploit and what exploits are hypothetically possible.

Do I think there will be some crazy hack of EV chargers to take down the grid? Maybe if war breaks out and we're dealing with nation-state actors. Otherwise it's doubtful.

Do I think a hacker will open a physical L2 charger on the side of my house to replace a chip and steal my passwords? No.

Do I think an EV charger software exploit will be used to bulk-steal passwords and turn them into bitcoin mining rigs? It's probably already happening.

Use a password manager, keep good password hygiene, and don't take the WSJ too seriously when it comes to anything EV related.

???

 

[Riviot]

Two factor authentication?

 

[Dark-Fx]

I don't at all see this as fear-mongering or a WSJ hit piece on EVs. This article is really more of a prod at manufacturers to step up their cyber game.

It's fud. You're not going to overheat an EV battery because the car is going to shut the charger off if it's doing something it's not supposed to.

 

[electruck]

It's fud. You're not going to overheat an EV battery because the car is going to shut the charger off if it's doing something it's not supposed to.

Agreed, I don't dispute that point. Funny thing though, I don't even recall that being mentioned in the video (probably because it wasn't of concern to me) so now I'll have to rewatch it to see what else I (dis)missed.

I disagree that the entire article is FUD though. Let's put it this way, there is an entire industry of pen testers (security penetration testing) and security researchers out there whose entire mission in life is to identify all potential vulnerabilities. This is how the tens of thousands of CVEs reported annually come to be. The biggest exploits usually take advantage of multiple vulnerabilities, it's not so much that any one vulnerability by itself might be catastrophic (although this happens too, eg exposed S3 buckets leaking sensitive info). So, I guess you could consider pen testers to purely be generators of FUD but keep in mind that pen testing is also required for things like PCI DSS certification as anyone handling credit card info should be familiar with. There are more people out there looking to take advantage of weak security than most people realize. I see it daily. And I value the feedback obtained from the pen testers that my company utilizes. I don't consider their work to be FUD.

 

[COdogman]

It might be a bit of FUD, but I am glad there are people looking at all of this to push all industries to step up their security game. When that doesn't happen it always seems like we regret it later.

 

[SANZC02]

Agreed, I don't dispute that point. Funny thing though, I don't even recall that being mentioned in the video (probably because it wasn't of concern to me) so now I'll have to rewatch it to see what else I (dis)missed.

I disagree that the entire article is FUD though. Let's put it this way, there is an entire industry of pen testers (security penetration testing) and security researchers out there whose entire mission in life is to identify all potential vulnerabilities. This is how the tens of thousands of CVEs reported annually come to be. The biggest exploits usually take advantage of multiple vulnerabilities, it's not so much that any one vulnerability by itself might be catastrophic (although this happens too, eg exposed S3 buckets leaking sensitive info). So, I guess you could consider pen testers to purely be generators of FUD but keep in mind that pen testing is also required for things like PCI DSS certification as anyone handling credit card info should be familiar with. There are more people out there looking to take advantage of weak security than most people realize. I see it daily. And I value the feedback obtained from the pen testers that my company utilizes. I don't consider their work to be FUD.

I do not disagree with the article but the clickbait title.

“EV Hacking: This is how easy it is to sabotage the power grid”

The article is not even about an EV, it is pretty much about a 6 year old charger that has been redesigned and has been patched. The biggest issue was being able to open it up and pulling out a memory card to extract private data where probably 80% of home charger installs are inside of a garage.

People remember titles more than content, down the road when talking about this they will say EVs are not secure and pose a risk to the power grid. It is bad enough that influencers use clickbait titles for their content, I just wish mainstream publishers were more responsible and less misleading.

 

[electruck]

I do not disagree with the article but the clickbait title.

“EV Hacking: This is how easy it is to sabotage the power grid”

The article is not even about an EV, it is pretty much about a 6 year old charger that has been redesigned and has been patched. The biggest issue was being able to open it up and pulling out a memory card to extract private data where probably 80% of home charger installs are inside of a garage.

People remember titles more than content, down the road when talking about this they will say EVs are not secure and pose a risk to the power grid. It is bad enough that influencers use clickbait titles for their content, I just wish mainstream publishers were more responsible and less misleading.

Completely agree. Unfortunately, the internet is monetized by click counts.

 

[thrill]

...don't take the WSJ too seriously...

until it's no longer owned by the Murdochs.

 

[DeafPug]

Put those IoT devices on your guest network when possible. If they are exploited, your main wi-fi credentials are not compromised.

Sponsored