The race towards electric cars and charging services is proceeding at such a speed that it is attracting hundreds of “gamers”, including many startups. The goal appears to be to take a slice of this cake at any cost, destined to rise enormously, not worrying about doing things right, and is one of the reasons behind Carge’s recent hacking.
Startups hit the market with one MVP logic (Minimal Viable Product): rapid development, launch on the market as soon as possible, test user response and, if this is good, proceed with the development while integrating the other aspects, including security, at a later time. It works everywhere like this, we know, but in an increasingly software-based society, security cannot be overshadowed or developed later.
By now even the stones know it, the future will be dominated by software. There are countries and companies (Eastern Europe is fertile ground) where headhunters literally wage war to find experts and developers, but there are still few companies in the charging sector that have understood that IT security is the first leg on which to build the infrastructure.
One of those that has shown that it can do it is Juice Technology AG, a hardware manufacturer that can actually be considered a software house just like Tesla. The Swiss even organized a panel not to talk about products, but about safety, launching an appeal to all the other companies.
Try to think about it: charging electric cars it is based, both in public and in private, on creating gods access points that “connect” the Internet with the electricity network. The car itself is a first door. The column or the wallbox then represent a further e potential weak point, exploitable by the bad guys for do damage even in the real world.
A tip for reading
Perhaps the concept may be difficult to grasp: How can a hacker working with “intangible” lines of code make trouble for something physical? The examples are many.
The physical dangers of an insecure charging infrastructure they are of all kinds. It starts from the banal data theft of users, proceeding with the theft of money when entering the top-up payment system that uses third-party services. Here it is possible, for example, manipulate an invoice: it is intercepted, the numbers are replaced (making it cheaper or more expensive) and only after it is re-routed in its traditional path by sending it to the payment processor. Still on the subject of theft, a recent study has shown how easy it can be steal energy for recharging through unsafe stations.
Another example of an attack is the “denial of service“, capable of making the recharge fail. It might seem a negligible damage, a bore for the user, but it becomes the key to an initiative of type ransomware to charging networks.
Still on the subject of blackmail, very experienced and organized attackers might be able to disable the power grid of a building, a condominium / company or a neighborhood by exploiting continuous cycles of activation / deactivation of the recharge, carrying out the operation in a synchronized manner. This is an unrealistic scenario today, there are not many electric cars, but in the future it is not so science fiction given the need for the charging infrastructure to be connected to the network, both for billing reasons and for managing the load within. the power limits of the system when it is necessary to distribute energy over several cars in simultaneous recharging.
So far there has been talk of inefficiencies, blackmail or theft. But what if, through a cyber attack, the attacker could damage the car battery itself by changing the charging parameters? The risk is to disable the cell control systems, sophisticated and delicate. With an increase in power, an increase in temperature is easily obtained if the control systems of the same are compromised … up to the possible fire of the batteries.
Software First e Security by Design are the keywords known to those involved in programming: simplifying, it means that any connected product which will have to be born in the next few years, it will have to have a genesis that starts from its software and security it will have to be developed from the earliest stages, running in parallel from birth to its debut on the market.
Juice Technology’s solution represents excellence and has recently achieved the ISO / IEC 27001 certification for information security and data protection.
Because it is important? For the data collection of the Tesla Model 3 I use a “homemade” system, with a Raspberry where the information accessible only in the local network is recorded (I will talk about it shortly). Just because I don’t trust anyone. I also recently tried j + pilot (Android – iOS), the Juice application, which asks for Tesla account data on first login. I did it only because they are not stored anywhere and a token is generated that guarantees the connection, with the advantage of providing (even if only for the moments necessary to guarantee access) this sensitive information to a company that has tried its focus on safety
The company’s strategy is to resort to proprietary chipsets developed at home, cryptography as a standard for any aspect and a large host of test, carried out both by the internal team and by independent software engineers, so much so that there is a “bug bounty program“which allows anyone to obtain a cash reward for reporting vulnerabilities and security risks. In addition, the business partners to collaborate with are also chosen based on their approach to security, discarding those who do not. In addition, safety also goes beyond ease of use, which is why Juice was among the first to allow you to activate recharging with your credit card, without apps or devices to carry around.
The fundamental problem, and this is the appeal launched by the company, is that all the actors involved must be made aware of the issue. Safety must also be the primary aspect for the owners of buildings where charging points are installed or for the companies that manage the infrastructure, because otherwise there would be weak points, access doors by criminals that only a holistic approach can eliminate.