EVGO Warning - insecure service

[Mondo]

@VSG brought up valid points. Accusing them of being an “EVGo employee” instead of responding directly to those comments doesn’t exactly support your case.

Sorry. They aren't actually valid and they are coming from a stance of an insider. Whether that's an EVgo employee or a Rivian employee. I can address each one but it basically amounts to user blaming. The fact is, MY CARD IS BEING CHARGED BY EVGO WHEN I AM NOT USING IT WITHOUT MY CONSENT. This is a massive security flaw and the community should be aware. What's your affiliation?

Sponsored

 

[txtravwill]

I've also had issues with the app and site. Had added my Hummer and it was auto start enabled... But then couldn't unenroll it or delete the vehicle even. Had to open also a "back office" ticket and communicate via email over a few days also. They still can't even resolve it and remove it. So hope new owners don't use it. I also hate that once you enter a payment card, can't delete it. Also can't delete account.

Don't really trust the app. Since don't encounter these much I'm just going to use a card onsite if ever truly have to or avoid EVGO.

 

[Mondo]

As a cybersecurity professional, posting a suspected vulnerability on a public forum like this without first contacting the company in private and giving them an opportunity to fix it first is highly irresponsible, IMO. Basically, IF this is a real issue, you've just endangered every EV owner who uses EVGo. And this is your first post here?

But I think much of your report is due to your misunderstanding. Let me address the individual points.

From your description, you entered your VIN in the app then expected autocharge+ to work next time you plugged in. ("I registered my R1S's VIN on the account and entered my credit card details. When I arrived at the charger, I plugged in but the autocharge+ feature didn't work")

That is not a correct expectation - enrolling in autocharge+ is a two step process. You need to enter your VIN first (if accepted, your app will say Pending autocharge+), then you need to initiate a charging session from the app (before you plug in) - this session is used to read your vehicle ID and associate it with the VIN you entered in the app. Only after this session the will the app show "Enrolled", and for your NEXT session you can just plug in and the charging will start automatically now that you're fully enrolled. The instructions for how to sign up for autocharge+ are pretty clear about this. I followed the instructions last week and they worked for me.


It's not clear to me what interaction you expect to do here - the screen on the charger gives you instructions, and if you follow the instructions it moves to the next step. Once you get autocharge+ set up, the screen is purely for information display.


"Poor UX" is subjective, and you don't mention what you think is poor.

Hijacking a session is concerning, IF it is reproducible. I also don't understand what you think happened here. It is the app user that gets charged, and the only way for your vehicle to be associated with the VIN in your app is for you to swipe to initiate a charge first, then plug it and have the charger read your vehicle ID from the same plug you swiped on. I don't see how that session could be hijacked remotely unless someone else swiped to initiate the charge just before you plugged in to authenticate. Highly unlikely, and THEY would be the ones to get charged, not you.

I suspect either you or the other person entered their VIN incorrectly, and in the time between the "Pending" state and confirming your vehicle to reach "Enrolled" the other person entered a duplicate VIN. While this would be a problem, it's also of very limited scope because of the limited window of time between these two steps and you would have to enter a VIN of a vehicle that was in that specific intermediate stage of signing up. Duplicate VINs should not be allowed at any stage of the process, and this is certainly something that should be addressed if that is what is happening. It's also something you should report to the company first.

A simple fix, if you think your account was hijacked, is to delete your vehicle from the app, delete your old credit card from the app (you will have to add a new one), then you through the autocharge+ enrollment a second time. This time do it while standing at the charger.


Reasonable. MFA could reduce problems caused by compromise of account name/password.


Claiming "others said" is a cop-out. Either this can happen or it can't. You're the professional, so regardless of who said it YOU are repeating it and that means you are endorsing this even though you haven't bothered to confirm this on your own. You don't have to do anything illegal, as you should be aware - either try to break into your own account using this method or get explicit written permission from a friend, relative, or spouse to break into theirs. You can even create a second account for yourself for testing. Regardless, if you DO find a way to break in, contact the company first and give them a chance to fix it, don't just make this claim on an open forum.


It's not clear to me where that image comes from - that's not from the EVGo app. But I see that most of those debits have corresponding credits - paired with for example. Those could very well be authorizations, not charges, and this could simply be EVGo authorizing your card when you plug in, then cancelling the authorization and making a real charge when you terminate the session.

My EVGo app only shows the actual charges, and I can drill down into the charge to see the details (time, energy delivered, transaction fee, energy fee, last 4 of credit card, etc.) Also, my credit card account does not show any authorizations for the last time I used EVGo. Perhaps because you used a physical credit card it needed to authorize it first, and perhaps because (as you said) you tried to initiate a session multiple times the authorizations went through then were cancelled when the session failed.


I'm pretty sure you can, but I haven't tried. This is a regulatory requirement. See https://helpcenter.evgo.com/hc/en-us/articles/10061341391383-EVgo-Account-FAQs for instructions how to do this.

I'll address your points one by one becuase Dogman asked:
First, I haven't posted a 0-day exploit, only a warning to end users to not share their CC data with UVgo at risk of it being abused.
To your points:
1) "enrolling in autocharge+ is a two step process". - This may be the case but how that happens is not clear from the app or from Rivian's 'integration'.
2) "It's not clear to me what interaction you expect to do here" - The chargers I've used before have a UI that let's you control the charge (start/stop) from the charging station and it's clear what is happening. The EVgo chargers only show when the charge has started and the speed IIRC. You cannot stop the charge from the charger. You have to rely on the app. If you have a phone or data problem you are in the dark. I suppose you could get in the vehicle but that's kinds bad.
3) "Hijacking a session is concerning, IF it is reproducible." - I am not about to try to reproduce it but shoot me your account email and consent and I'll give it a try.
"I don't see how that session could be hijacked remotely unless someone else swiped to initiate the charge just before you plugged in to authenticate." - lol. Famous last words.
"I suspect either you or the other person entered their VIN incorrectly" -I suspect the VIN has no bearing on anything. Isn't that what you mentioned before? My VIN was correct.
"simple fix, if you think your account was hijacked, is to delete your vehicle from the app, delete your old credit card from the app (you will have to add a new one)" - This is ridiculous.
4) "MFA could reduce problems caused by compromise of account name/password." - This is a security concern but I doubt the cause of this problem or a solution. But definitely something that is needed before I trust this service.
5) " Claiming "others said" is a cop-out." - It's just a warning. I'm not the only one experiencing these issues.
6) "Those could very well be authorizations" - They mostly are. There is no good reason for this. What an accounting nightmare that fills my CC with fake charges. This is bad practice and shouldn't be done. There's no excuse for that. No one else does it.
7) " I'm pretty sure you can, but I haven't tried" - You cannot.

 

[Dark-Fx]

Ah. The EVgo employee has arrived. My post is only to warn users of the risks. Blaming the users for your insecure service is a bad look.

As an EVGo employee, I am on @VSG's side that it sounds like you probably activated autocharge+ against someone else's vehicle by choosing the wrong station somehow.

I don't believe there is ever a verification against the VIN. I think it's only required for entry to determine if your vehicle will be capable of autocharge+.

 

[COdogman]

Sorry. They aren't actually valid and they are coming from a stance of an insider. Whether that's an EVgo employee or a Rivian employee. I can address each one but it basically amounts to user blaming. The fact is, MY CARD IS BEING CHARGED BY EVGO WHEN I AM NOT USING IT WITHOUT MY CONSENT. This is a massive security flaw and the community should be aware. What's your affiliation?

It says more about you that everyone who poses a question to you has some “affiliation” to those who you perceive as your enemies. There are obviously multiple reasons a charge or hold could be placed on a card. Many people get confused the first time they use EA chargers because they see hold amounts other than what they saw at the charger placed on their card. It almost always is a misunderstanding, not malfeasance.

 

[srkz]

This may be the case but how that happens is not clear from the app or from Rivian's 'integration'.

I’m no cybersecurity professional but the process is painfully clear and spelled out in detail if you just read the words on the screen instead of blindly clicking ‘next’ when you enroll.

They mostly are. There is no good reason for this. What an accounting nightmare that fills my CC with fake charges. This is bad practice and shouldn't be done. There's no excuse for that. No one else does it.

Auths disappear from your CCstatement in a few days, but auths also don’t generate refunds like you’re seeing. I don’t have any reasonable explanation for the charges and refunds on your statement, something’s definitely weird there.

I’ve personally had no issues with EVgo over many years with them and several years with Autocharge+ in other vehicles though.

 

[Mondo]

I’m no cybersecurity professional but the process is painfully clear and spelled out in detail if you just read the words on the screen instead of blindly clicking ‘next’ when you enroll.

This is really a red-herring. It's not clear at all and doesn't explain the unauthorized charges. The fact that it worked for you one time on another vehicle is neither here nor there.

 

[Mondo]

It says more about you that everyone who poses a question to you has some “affiliation” to those who you perceive as your enemies. There are obviously multiple reasons a charge or hold could be placed on a card. Many people get confused the first time they use EA chargers because they see hold amounts other than what they saw at the charger placed on their card. It almost always is a misunderstanding, not malfeasance.

I assume an affiliation because you are strangely defending EVgo without even bothering to understand the issue.
Read the post again. I'm not complaining (primarily) about the annoying pre-authorizations. Someone is using my account to charge on the EVGO network when I am not there. EVgo is charging me for this. This is a security flaw. How can I make this more clear? The other forum members understood.

 

[WSea]

It says more about you that everyone who poses a question to you has some “affiliation” to those who you perceive as your enemies. There are obviously multiple reasons a charge or hold could be placed on a card. Many people get confused the first time they use EA chargers because they see hold amounts other than what they saw at the charger placed on their card. It almost always is a misunderstanding, not malfeasance.

My dog is an EVgo employee and he’s not talking

 

[hevak]

As an EVGo employee, I am on @VSG's side that it sounds like you probably activated autocharge+ against someone else's vehicle by choosing the wrong station somehow.

I don't believe there is ever a verification against the VIN. I think it's only required for entry to determine if your vehicle will be capable of autocharge+.

If that’s true, and without getting in the middle of this spat with the OP, I’d love to get your two cents on my experience I outlined earlier in this thread with EVGo. Why would anyone be able to initiate autocharge+ pairing with a charging station 100s of miles away, through the website, after clicking “learn more” about Autocharge+ on a charger on the map? Why doesn’t my vehicle list on my app match the website? Why can’t I delete this phantom autocharge+ enabled vehicle in my app?

 

[COdogman]

I assume an affiliation because you are strangely defending EVgo without even bothering to understand the issue.
Read the post again. I'm not complaining (primarily) about the annoying pre-authorizations. Someone is using my account to charge on the EVGO network when I am not there. EVgo is charging me for this. This is a security flaw. How can I make this more clear? The other forum members understood.

Actually at no point did I defend EVgo. I had no trouble understanding your post, but good job doubling down on the condescension.

You seem to be under the impression that it’s simply impossible that you may have made a mistake or not understood how the app works and that every human on the planet must be an EVgo employee if they have questions about your situation and what you are describing.

 

[Mondo]

Actually at no point did I defend EVgo. I had no trouble understanding your post, but good job doubling down on the condescension.

You seem to be under the impression that it’s simply impossible that you may have made a mistake or not understood how the app works and that every human on the planet must be an EVgo employee if they have questions about your situation and what you are describing.

Hi COdogman,

Can you please stop commenting on this post? I checked your post history and you comment a lot and add very little value to the discussions as you are here. This is an awareness post for Rivian owners not a forum for you to bicker with people.

 

[Mondo]

As an EVGo employee, I am on @VSG's side that it sounds like you probably activated autocharge+ against someone else's vehicle by choosing the wrong station somehow.

I don't believe there is ever a verification against the VIN. I think it's only required for entry to determine if your vehicle will be capable of autocharge+.

That seems pretty unlikely. Can you explain that behavior? If you select any location in the app and someone is plugging in at that time you can be charged?

I did read an FAQ on the EVgo site just now saying there are checks to combat that which also seems weird you would have to have that. Known bug?

 

[Mondo]

As an EVGo employee, I am on @VSG's side that it sounds like you probably activated autocharge+ against someone else's vehicle by choosing the wrong station somehow.

I don't believe there is ever a verification against the VIN. I think it's only required for entry to determine if your vehicle will be capable of autocharge+.

This is interesting as well as the Rivian Update release notes say "verify your vehicles VIN and complete enrolment" which would seem the VIN is somehow required. It also says "Once enrolled, you can plug in your vehicle to start a charging session". But apparently you cannot. You need to go to the charger and start it with the app, then plug in. I am guessing if you start the charge with the app and someone else plugs in somewhere else at the same time, it will sync with your account. Again, looking to be a security flaw.

 

[emoore]

Hi COdogman,

Can you please stop commenting on this post? I checked your post history and you comment a lot and add very little value to the discussions as you are here. This is an awareness post for Rivian owners not a forum for you to bicker with people.

Wow. You come in here and start shit with a long time and respected forum member? And then you expect people to take you seriously? Just do t use EVGo and stop insulting people that question you.

Sponsored