Sponsored
c4denc3
Well-Known Member
- First Name
- Andrew
- Joined
- Mar 15, 2022
- Threads
- 1
- Messages
- 130
- Reaction score
- 125
- Location
- California
- Vehicles
- 2023 Rivian R1S
- Occupation
- DevOps Engineer
This thread is wild but I’ll post my experience.
I actually enrolled my R1S yesterday with EvGO in San Francisco. I added my R1S VIN to my EVgo account and then I saw an “enroll in Autocharge+” button. I then followed all the instructions in the app and it worked exactly as described. The first charge I had to initiate manually to enroll the R1S and on my second charge, I just plugged in and my R1S started charging. It was pretty awesome actually. I don’t see any weird charges on my card so not sure what happened with OPs but hopefully everything gets squared away. I’ll actually use EvGO more now that Autocharge+ works without any hiccups.
Edit: As others have posted, you can delete your card from the account if you add another card. So might be able to add a visa gift card or something in that fashion and remove your primary card? My credit card allows me to make virtual CCs so that would work for me. Just an option!
I actually enrolled my R1S yesterday with EvGO in San Francisco. I added my R1S VIN to my EVgo account and then I saw an “enroll in Autocharge+” button. I then followed all the instructions in the app and it worked exactly as described. The first charge I had to initiate manually to enroll the R1S and on my second charge, I just plugged in and my R1S started charging. It was pretty awesome actually. I don’t see any weird charges on my card so not sure what happened with OPs but hopefully everything gets squared away. I’ll actually use EvGO more now that Autocharge+ works without any hiccups.
Edit: As others have posted, you can delete your card from the account if you add another card. So might be able to add a visa gift card or something in that fashion and remove your primary card? My credit card allows me to make virtual CCs so that would work for me. Just an option!
Last edited:
VSG
Well-Known Member
You know, if your first response is to attack me rather than address the points I raised, that actually weakens your case. And although I see no need to prove it, I don't and never have worked with or for EVGo, Rivian, or any other company in the auto industry. However, I *have* worked in cybersecurity and e-commerce for a very long time and since you mentioned PCI DSS you should know I was involved in that standards process so I am well aware of the requirements. But I'm not about to get into a dick measuring contest with you.
It's clear that most of your "security" issues have nothing to do with security. Of your seven bullet points, only one (the one about UX) talks about how your card was charged without your authorization.
No one is "blaming" you for having problems. You, on the other hand, are blaming your misunderstandings on EVGo and moreover portraying them as security issues. Your response, which you finally got around to in #18, again displays misunderstandings:
Frankly, what @hevak is more concerning to me because what happened is explainable and it indicates that EVGo isn't using location data to ensure that someone initiating a charge through the app is actually physically present at the charger. That seems to be a simple condition that could easily be enforced to prevent unusual mistakes like this.
It's clear that most of your "security" issues have nothing to do with security. Of your seven bullet points, only one (the one about UX) talks about how your card was charged without your authorization.
No one is "blaming" you for having problems. You, on the other hand, are blaming your misunderstandings on EVGo and moreover portraying them as security issues. Your response, which you finally got around to in #18, again displays misunderstandings:
- So I was right, you misunderstood, and this isn't an issue if you follow the directions. Maybe ask EVGo to make the directions clearer, or maybe contribute to this community and publish clearer directions to help someone else avoid this problem.
- Still wrong. You don't have to use the app to stop the charge. You can stop the charge from the dashboard in your Rivian or simply by pressing the button on the plug handle, which is the same way you would stop the charge at home. Even on a Level 3 charger where you *can* press a button to stop a charge I never do, because it's quicker to just kill the charge from the dashboard then get out and stow the plug while the charger is finalizing the session. By the time I'm finished with that, the charger will be showing confirmation of the session.
- You're a cybersecurity professional and have no interest in a reported vulnerability, other than to make sure everyone knows that "someone" reported it? You expressed concern about your account being compromised and I gave you a simple way to lock it down. I'm sorry, but that deserves a thank you, not an lol - anyone who has worked in cybersecurity should know how to throw the kill switch to minimize damage. And as far as getting your money back, that's trivial - just do a chargeback with your credit card company. That puts the burden on EVGo to identify the problem.
- We agree on.
- No, it's a cop-out. If you're going to raise the alarm and make accusations about the security of EVGo, then be prepared to back up your accusations. If all you're doing is repeating unverified claims that you read from "others", then you're part of the whole "fake news" problem, especially when you have the capability to confirm or deny the problem.
- So you agree they're authorizations. Yes, a lot of companies do this, including other charger companies when you pay by credit card because they have no way of knowing whether your credit card is good without authorizing it. They can't charge you before you "fill up", and they don't know you from jack, so it's a reasonable thing to do to make sure you don't charge and dash. EA does it. ChargePoint does it.
- Again, as I said, being able to cancel your account is a regulatory requirement, so I'm sure it can be done. Just because the FAQ is out of date doesn't mean there is no way to cancel your account. (And apparently you saw the FAQ only after I linked it?) Did you try the other method in the FAQ? I haven't tried it (which I explicitly told you) because I don't want to cancel my account. But it's hardly surprising if they don't make it a one-click process is it? Ever try to cancel a credit card before? You have to spend 15 minutes on the phone telling them no, you don't want to upgrade, you don't want free point, and yes you understand their dire warnings about what will happen to your unused points etc.
Frankly, what @hevak is more concerning to me because what happened is explainable and it indicates that EVGo isn't using location data to ensure that someone initiating a charge through the app is actually physically present at the charger. That seems to be a simple condition that could easily be enforced to prevent unusual mistakes like this.
prestapost
Well-Known Member
- Joined
- Mar 28, 2021
- Threads
- 18
- Messages
- 236
- Reaction score
- 433
- Location
- Pullman, WA
- Vehicles
- 2019 RAM 1500, 2022 Rivian R1T
Maybe it’s just me, but I’ve found several charging companies use a wallet system that charges in smaller increments… and definitely more of them should support MFA.
One thing about the OP, he sure knows how to make a first impression…
One thing about the OP, he sure knows how to make a first impression…
Sponsored
runwithscissors
Well-Known Member
I suggest using alias email accounts and companies like https://www.privacy.com/ that give out virtual CC numbers that you control maximum spend and charge limits. Using the same email address and CC number all over the place is silly.
srkz
Well-Known Member
- Joined
- Feb 20, 2021
- Threads
- 2
- Messages
- 167
- Reaction score
- 284
- Location
- Los Angeles
- Vehicles
- 2023 R1T
Dozens of times (every time, in fact) in three different vehicles, to be precise.
You did step one of enrollment successfully, but you made a user error at step two and accidentally started a session at the wrong station, which meant the next person to charge at that station got free charging on your dime and enrolled on your account’s Autocharge+, thus the charges on your account.
Should there be a geofence on step two of Autocharge enrollment? Almost certainly yes. But it’s still a user error, no one hacked you.
CharonPDX
Well-Known Member
As a Cybersecurity professional who has actually investigated this - some details:
1. EVgo's "Autocharge+" is *NOT* using the same protocol as CCS "Plug & Charge".
2. CCS Plug & Charge uses the actual CCS protocol to communicate between the vehicle and the charger; and requires the vehicle manufacturer work with the charging network provider to support it. The payment is configured in the vehicle manufacturer's system, the vehicle manufacturer simply sends a "yep, this vehicle is authorized, we'll bill the owner and pay you" token to the charger. No payment information is sent. It is an interactive "handshake" every time you plug in.
3. Autocharge+ has no way to match a vehicle that is plugged in to a specific VIN.
4. Autocharge+ uses the vehicle's MAC (Media Access Control) number as an identifier. Yes, the same technology as in computer networking. CCS communication protocol uses a form of computer networking, and all CCS devices have a MAC address. *THIS* is what Autocharge+ uses. Of course, this isn't tied to your VIN in any way, so adding your VIN to the app isn't important at all.
5. The Autocharge+ enrollment process is simply "I the EVgo user in the app say I am plugging my vehicle in now to this specific charging station", then the EVgo network looks at the MAC address of the vehicle that plugs in to the specified charging station. This means once a MAC address is paired to an account in EVgo's records, that's it. "MAC address xyz just plugged in, I'm going to bill this to account abc."
6. MAC addresses are *NOT* secure. They are easily spoofable in computer networking circles. I'm sure it's also possible to spoof it over CCS.
7. It also means that if you pick the wrong charger during enrollment you could pair someone else's vehicle to your account! Since the VIN isn't in there anywhere, EVgo has no way of knowing you paired the wrong vehicle.
I have enrolled my vehicle in it - but I made sure to enroll it at an EVgo station that had no other vehicles at it, and I triple-checked in the app to make sure I was telling it the correct charging station. I haven't heard of anyone directly spoofing CCS MAC addresses, so I'll trust EVgo's system (with my precautions when enrolling) until either I see a fraud action on my own account, or I see a press release about spoofed CCS MAC being used in the wild. (And I was just at the "Hacker summer camp" DEFCON conference that has a "car hacking village" section. Hrm… Maybe I'll go spoof one of my vehicles on my other vehicle and score a talk at next year's DEFCON.)
1. EVgo's "Autocharge+" is *NOT* using the same protocol as CCS "Plug & Charge".
2. CCS Plug & Charge uses the actual CCS protocol to communicate between the vehicle and the charger; and requires the vehicle manufacturer work with the charging network provider to support it. The payment is configured in the vehicle manufacturer's system, the vehicle manufacturer simply sends a "yep, this vehicle is authorized, we'll bill the owner and pay you" token to the charger. No payment information is sent. It is an interactive "handshake" every time you plug in.
3. Autocharge+ has no way to match a vehicle that is plugged in to a specific VIN.
4. Autocharge+ uses the vehicle's MAC (Media Access Control) number as an identifier. Yes, the same technology as in computer networking. CCS communication protocol uses a form of computer networking, and all CCS devices have a MAC address. *THIS* is what Autocharge+ uses. Of course, this isn't tied to your VIN in any way, so adding your VIN to the app isn't important at all.
5. The Autocharge+ enrollment process is simply "I the EVgo user in the app say I am plugging my vehicle in now to this specific charging station", then the EVgo network looks at the MAC address of the vehicle that plugs in to the specified charging station. This means once a MAC address is paired to an account in EVgo's records, that's it. "MAC address xyz just plugged in, I'm going to bill this to account abc."
6. MAC addresses are *NOT* secure. They are easily spoofable in computer networking circles. I'm sure it's also possible to spoof it over CCS.
7. It also means that if you pick the wrong charger during enrollment you could pair someone else's vehicle to your account! Since the VIN isn't in there anywhere, EVgo has no way of knowing you paired the wrong vehicle.
I have enrolled my vehicle in it - but I made sure to enroll it at an EVgo station that had no other vehicles at it, and I triple-checked in the app to make sure I was telling it the correct charging station. I haven't heard of anyone directly spoofing CCS MAC addresses, so I'll trust EVgo's system (with my precautions when enrolling) until either I see a fraud action on my own account, or I see a press release about spoofed CCS MAC being used in the wild. (And I was just at the "Hacker summer camp" DEFCON conference that has a "car hacking village" section. Hrm… Maybe I'll go spoof one of my vehicles on my other vehicle and score a talk at next year's DEFCON.)
CharonPDX
Well-Known Member
And that wouldn't help if the mistake was a different unit at the same physical location. The newest EVgo closest to my house has 8 stations. Four of them "dual head at the same time", so someone could even pick the right *NAME* station, but the wrong "side".
Tarkus
Well-Known Member
My 1st and only EVGo Charge at the brand new station at Home Depot in West Allentown, PA went well and was free. Locking forward to using the station in Hagerstown. MD on my trip to Atlanta next weekend ?
Sponsored
COdogman
Well-Known Member
And you accusing everyone who brings up questions or even slightly disagrees with you of being an EVGo employee adds what to the “discussion”?
Really what you want is for everyone to agree with you 100% and not ask any questions, which isn’t a discussion at all.
I will gladly stop commenting in this thread now - I have to get ready for my job at [whatever organization pisses you off today]
Stevetom84
Well-Known Member
- First Name
- Stephen
- Joined
- Jul 11, 2023
- Threads
- 13
- Messages
- 204
- Reaction score
- 205
- Location
- Atlanta, GA
- Vehicles
- Rivian R1T
- Occupation
- Electrical Engineer
I enrolled my R1T last week and I found the instructions fairly straight forward. After entering your information it clearly states the enrollment is pending, or something like that. It was pretty clear that the enrollment would not be complete until a charge was initiated from the app.
Should they allow you to more easily delete your CC information or account, yes. Am I overly concerned about it, no. If crap happens I’ll report fraudulent charges, replace my card, and move on.
If you don’t feel EVGo is safe, don’t use it, but it seems a bit crazy to call out everyone who simply had a different and more positive experience.
Should they allow you to more easily delete your CC information or account, yes. Am I overly concerned about it, no. If crap happens I’ll report fraudulent charges, replace my card, and move on.
If you don’t feel EVGo is safe, don’t use it, but it seems a bit crazy to call out everyone who simply had a different and more positive experience.
Zoidz
Well-Known Member
I had read about the use of MAC addresses as a EV identifier somewhere else. My first thought was that sooner or later, someone will build a CCS/NACS skimmer/spoofer that slips over the connector - just like a debit card skimmer that attaches to an ATM. Skim the MAC, and then use it for "free" charging.
Zoidz
Well-Known Member
Agree. If this was a ZDE then it should not be posted online. But IMO this is different from a ZDE. ZDE is an intentional effort to exploit a system - Zero Day EXPLOIT. This is not that - it's a unintentional "workflow" path that ANY user could unknowingly execute.
This appears to be a poorly architected and tested process/procedure/workflow. It was designed for a specific expected workflow, and they simply did not think through the possible missteps that a user could unintentionally do during the process. For someone to claim "it's your fault because you did this wrong" is bullshit. This scenario should have been prevented by EVGo, no room for ANY excuses.
This is a HUGE violation of PCI and appears that EVGo has potential major legal liability here.
I'm painfully familiar with PCI compliance requirements on point of sale networks due to processing hundreds of credit card transactions a week at one of my businesses. Every year, I have to sign off on an audit document stating that we meet about 200 PCI requirements. EVGo gets a huge FAIL on PCI compliance.
EVGo is the only DCFC I have used so far. I have an account but have not enrolled in the autocharge. I won't, and I'll be keeping an eye on my CC when I do use it, very infrequently.
Edit: Here's the penalty for PCI non-compliance, in a nutshell:
PCI DSS Penalties for Non-Compliance: If your organization is found to be non-PCI compliant, fines will vary from $5,000 to $100,000 per month, depending on the size of the corporation and the seriousness of the non-compliance.
Last edited:
Dark-Fx
Well-Known Member
EVGo says they have protection against "impossible charges" where if one is initiated somewhere you couldn't possibly drive to in time, then it flags it. Of course I have never heard of this being demonstrated.
Devices like Keysight's SL1556A do exist, and I believe it's possible to use an inductive coupler over the entire cable to sniff the data due to the way PLC works.
Sponsored
