EVGO Warning - insecure service

[shandel]

I charged at that site several times last week, including Saturday, with no issues. Are you 100% sure you did not select the wrong charger number in the app? I always swipe the app first, then wait for the charger screen to tell me to plug in. EA told me a long time ago to do that way, even though the stupid screen states "plug in first".

That's a great question. I'm almost 100% sure that I didn't actually select the charger in the app. I plugged it into the Rivian and then used the pass via the wallet to verify my account. I don't recall actually selecting the charger # in the app itself. There is some possibility of user error here, but I don't think so.

Sponsored

 

[azbill]

That's a great question. I'm almost 100% sure that I didn't actually select the charger in the app. I plugged it into the Rivian and then used the pass via the wallet to verify my account. I don't recall actually selecting the charger # in the app itself. There is some possibility of user error here, but I don't think so.

I almost never use the wallet to charge, except with ChargePoint. That issue seems like it is on the EA side then, if it linked the reader to the wrong charger. Those CC/NFC readers never seem reliable to me, I saw one at an EA station in Indio, on the way to Tahoe, that looked like someone took a hammer to it. Probably frustrated with their charging experience. Vandalism is becoming a big issue at chargers, people are cutting the cable off to harvest the copper.

 

[WSea]

I had a similarly strange experience with an EA charger in South Lake Tahoe this weekend. I pulled up to the 350kwh charger and tried to get set up for charging. The charger said initiating charge but never started. Another Rivian pulled into the other 350kwh charger and got plugged in. I tried unplugging and plugging in and initiating the charge again. It's didn't work. In the meantime, his did start charging. I moved my Rivian over to the 150kwh charger next to his and tried to get set up there. I then noticed the screen where he was charging said "Hi, [my name]". I looked in my app and it said I was charging. I stopped the charge from my app and his Rivian stopped charging.

So, there is either something very screwed up at that local EA charger where the terminals are somehow miswired or they have some other bigger issue. Either way, there is a similar problem to what is described here with evGo.

Did you initiate charge with app? I'm no expert on the protocols but the only way I imagine this happening is if you accidentently selected the wrong charger number.

 

[pc500]

So what's the issue? Sounds like a bug where someone else's car got registered in your account. Certainly not a major security issue, at least not as bad as it's made to sound here.

As a cybersecurity professional, I want to alert the community that EVGO, its app and chargers have some major security flaws and I would recommend not using them until these issues are addressed.

I was excited by the EVGO integration in the last update and signed up for an account. I registered my R1S's VIN on the account and entered my credit card details.
When I arrived at the charger, I plugged in but the autocharge+ feature didn't work. I tried several times and located the charger in the app and tried to start it from there. After several attempts as well as trying to use a credit card, it eventually started. I went for lunch. When I returned and hour later I checked my CC account and there were several charges and 2 separate charging charges - 1 for 10.70 and 1 for 44.22. Both were from the exact same time period (overlapping). Today, back at home, with the car in my garage, I got a charge on the CC that I was charging again (150 miles away). I opened the app to see the charge ongoing.

When I called EVGO they were very apologetic but the rep could not really do anything but stop the existing session and open a ticket with their 'backoffice'.

Some things that concern me coming from a cybersecurity perspective:

1) The chargers did not recognize my car even though it was registered as they claim it should have.
2) There is a non-interactive UI at the chargers so you don't know what is happening and can only control it from the app which is largely unresponsive.
3) The app has extremely poor UX and apparently can get miss-synced with or hijacked by another vehicle without warning or notice. I still cannot see what car is using my account. The claimed 'VIN recognition' is clearly not real.
4) The app does not have strong authentication and no option for MFA.
5) Others have claimed on the web that accounts are easily hijacked with just username and email. I haven't tested this as it would be a crime but beware.
6) Multiple CC charges are made frequently instead of just for the usage (see attached). This is confusing for users and you can miss an overcharge.
7) You cannot leave the service, remove your Credit Card, or close your account even if you call them. Apparently 'only the backoffice' can do any of these.

For now, until they get these issues resolved, I would avoid this app and service. I will give them a week to resolve the charges and then contact my credit card company.

 

[Mondo]

So what's the issue?

Sorry for the late update. I don't use these forums much as I don't have the same insecure need as many to push my opinions on the community. I just wanted to warn people and have done so.

Here is the update:
EVGO refunded me quickly but failed to remove my CC data from their system. Their solution was to remove my vehicle from the app and 'try again'. I have since cancelled that credit card and deleted the app. I use unique identifiers to flag my PII so will look out for that in the future.

No one has disclosed the mechanism by which the invalid charges were made but my estimation is this:
- When you sign up for the app you are creating an account with your billing and account details. The VIN has little bearing aside from being an additional key. There is no link to your VIN and the charging apparatus. It probably is not needed at all.
- When you arrive at the charger you activate the charger with the app and then plug in your vehicle to the charger when instructed. At this point the charger and the vehicle exchange 'credentials' and create a certificate which links your vehicle and your account.
- While this process is happening or during the delay in communications, if another vehicle is plugged in and negotiates with the servers it can be mistakenly associated with your account - even if it already has a connection to another account.

Sounds like a bug where someone else's car got registered in your account. Certainly not a major security issue, at least not as bad as it's made to sound here.

I don't know how much you know about payment card information and security or hacking but it's very bad. I don't think it would take long for someone to breach this flaw and get every customer's CC data. I will not use this service again. That's all I will say about that.

All the best!

 

[COdogman]

Sorry for the late update. I don't use these forums much as I don't have the same insecure need as many to push my opinions on the community. I just wanted to warn people and have done so.

All the best!

But you have an insecure need to come here to say that?

 

[DevSecOps]

I oversee and manage cyber, infrastructure and technology security teams. We specialize in financial institutions and investment firms. I won't get into the alleged compliance violations as they are likely inaccurate and I do agree (heavily) with ethical disclosure instead of putting things on blast publicly.

I'm just here to drop some news that I was told. I went to use autocharge+ the other day and it didn't work, furthermore it was removed from my account. I reached out to EVgo and was told the following. Take it as you wish.

Edit for a bit more context: When Autocharge+ didn't work I called them and they asked me to remove and re-add the vehicle. Once I did this it never gave me the option to setup autocharge again. That's when she filled a support ticket and I received the above response.

I forwarded the email chain to my guide in hopes (but don't hold high hopes) of a confirmation from Rivian. I'll respond when I hear from them.

 

[vandy1981]

IS it possible that Rivian inadvertently assigns the same Mac address to multiple vehicles?

 

[SANZC02]

I oversee and manage cyber, infrastructure and technology security teams. We specialize in financial institutions and investment firms. I won't get into the alleged compliance violations as they are likely inaccurate and I do agree (heavily) with ethical disclosure instead of putting things on blast publicly.

I'm just here to drop some news that I was told. I went to use autocharge+ the other day and it didn't work, furthermore it was removed from my account. I reached out to EVGo and was told the following. Take it as you wish.

Just curious when you tried to use it. Mine still shows on my account, it was last used on 9/13 with no issues.

 

[DevSecOps]

Just curious when you tried to use it. Mine still shows on my account, it was last used on 9/13 with no issues.

Last Thursday - 09/21

Here you can clearly see it's not an option either:

 

[VSG]

My vehicle still shows up as enrolled.

 

[AllInev]

My R1T has been in "pending" mode for Autocharge+ for weeks now. I went to an EVGo station again today to try to finish enrollment, but was getting error codes and messages from the EVGo app. I called EVGo and they had me connect the truck to a charger and start charging. After a short charge, the service rep claimed my R1T was now enrolled in Autocharge+. However, hours later, the EVGo app still shows the R1T as "pending" for Autocharge+. If Rivians are really not supported for Autocharge+, it sure would be nice to let their help/service support folks (and customers) know.

 

[AllInev]

My R1T has been in "pending" mode for Autocharge+ for weeks now. I went to an EVGo station again today to try to finish enrollment, but was getting error codes and messages from the EVGo app. I called EVGo and they had me connect the truck to a charger and start charging. After a short charge, the service rep claimed my R1T was now enrolled in Autocharge+. However, hours later, the EVGo app still shows the R1T as "pending" for Autocharge+. If Rivians are really not supported for Autocharge+, it sure would be nice to let their help/service support folks (and customers) know.

Just got this message from EVGo, so it seems they've suspended enrollments in Autocharge+ until further notice.

 

[Liverit85]

As a Cybersecurity professional who has actually investigated this - some details:

1. EVgo's "Autocharge+" is *NOT* using the same protocol as CCS "Plug & Charge".

2. CCS Plug & Charge uses the actual CCS protocol to communicate between the vehicle and the charger; and requires the vehicle manufacturer work with the charging network provider to support it. The payment is configured in the vehicle manufacturer's system, the vehicle manufacturer simply sends a "yep, this vehicle is authorized, we'll bill the owner and pay you" token to the charger. No payment information is sent. It is an interactive "handshake" every time you plug in.

3. Autocharge+ has no way to match a vehicle that is plugged in to a specific VIN.

4. Autocharge+ uses the vehicle's MAC (Media Access Control) number as an identifier. Yes, the same technology as in computer networking. CCS communication protocol uses a form of computer networking, and all CCS devices have a MAC address. *THIS* is what Autocharge+ uses. Of course, this isn't tied to your VIN in any way, so adding your VIN to the app isn't important at all.

5. The Autocharge+ enrollment process is simply "I the EVgo user in the app say I am plugging my vehicle in now to this specific charging station", then the EVgo network looks at the MAC address of the vehicle that plugs in to the specified charging station. This means once a MAC address is paired to an account in EVgo's records, that's it. "MAC address xyz just plugged in, I'm going to bill this to account abc."

6. MAC addresses are *NOT* secure. They are easily spoofable in computer networking circles. I'm sure it's also possible to spoof it over CCS.

7. It also means that if you pick the wrong charger during enrollment you could pair someone else's vehicle to your account! Since the VIN isn't in there anywhere, EVgo has no way of knowing you paired the wrong vehicle.

I have enrolled my vehicle in it - but I made sure to enroll it at an EVgo station that had no other vehicles at it, and I triple-checked in the app to make sure I was telling it the correct charging station. I haven't heard of anyone directly spoofing CCS MAC addresses, so I'll trust EVgo's system (with my precautions when enrolling) until either I see a fraud action on my own account, or I see a press release about spoofed CCS MAC being used in the wild. (And I was just at the "Hacker summer camp" DEFCON conference that has a "car hacking village" section. Hrm… Maybe I'll go spoof one of my vehicles on my other vehicle and score a talk at next year's DEFCON.). I almost forgot. As for payments, I recently stopped using a visa or mastercard, and then discovered https://linkpay.io/ . Payments through it are processed all over the world, and they also have excellent cashback conditions.

Thanks for sharing these detailed observations! It’s crucial to understand the differences between various EV charging protocols and how they impact security and functionality.

1. EVgo's Autocharge+ vs. CCS Plug & Charge: You’re absolutely right. EVgo’s Autocharge+ and CCS Plug & Charge use different protocols. CCS Plug & Charge integrates with the CCS protocol, requiring vehicle manufacturers and charging network providers to work together. It uses a secure "handshake" method to authorize payments without transmitting payment details directly.
2. Autocharge+ Mechanism: As you pointed out, Autocharge+ relies on the vehicle’s MAC address for identification, rather than the VIN. This approach is less secure compared to the CCS protocol’s authentication method, which is tied to the vehicle manufacturer’s system.
3. Enrollment and Security: The use of MAC addresses in Autocharge+ does raise concerns, particularly around spoofing. Since MAC addresses can be easily spoofed, there is a risk of incorrect vehicle pairing if the wrong charging station is selected during enrollment.
4. Precautions and Trust: Your approach of enrolling at a station with no other vehicles and carefully verifying the station in the app is wise. Given the current security landscape, it's good to stay vigilant and aware of potential vulnerabilities.

Your experience at DEFCON and your plan to explore spoofing in a controlled environment sounds fascinating. It’s always valuable to test and understand these systems in-depth, and sharing findings can help improve security practices.

Thanks again for the detailed breakdown!

 

[godfodder0901]

Thanks for sharing these detailed observations! It’s crucial to understand the differences between various EV charging protocols and how they impact security and functionality.

1. EVgo's Autocharge+ vs. CCS Plug & Charge: You’re absolutely right. EVgo’s Autocharge+ and CCS Plug & Charge use different protocols. CCS Plug & Charge integrates with the CCS protocol, requiring vehicle manufacturers and charging network providers to work together. It uses a secure "handshake" method to authorize payments without transmitting payment details directly.
2. Autocharge+ Mechanism: As you pointed out, Autocharge+ relies on the vehicle’s MAC address for identification, rather than the VIN. This approach is less secure compared to the CCS protocol’s authentication method, which is tied to the vehicle manufacturer’s system.
3. Enrollment and Security: The use of MAC addresses in Autocharge+ does raise concerns, particularly around spoofing. Since MAC addresses can be easily spoofed, there is a risk of incorrect vehicle pairing if the wrong charging station is selected during enrollment.
4. Precautions and Trust: Your approach of enrolling at a station with no other vehicles and carefully verifying the station in the app is wise. Given the current security landscape, it's good to stay vigilant and aware of potential vulnerabilities.

Your experience at DEFCON and your plan to explore spoofing in a controlled environment sounds fascinating. It’s always valuable to test and understand these systems in-depth, and sharing findings can help improve security practices.

Thanks again for the detailed breakdown!

OK bot...

Sponsored