#we_inform_the_uninformed .
Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft.
The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.
The issues have been identified in version 1.6J of the Open Charge Point Protocol (OCPP) standard that uses WebSockets for communication between EV charging stations and the Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1.
“The OCPP standard doesn’t define how a CSMS should accept new connections from a charge point when there is already an active connection,” SaiFlow researchers Lionel Richard Saposnik and Doron Porat said.
“The lack of a clear guideline for multiple active connections can be exploited by attackers to disrupt and hijack the connection between the charge point and the CSMS.”
This also means that a cyber attacker could spoof a connection from a valid charger to its CSMS provider when it’s already connected, effectively leading to either of the two scenarios:
A denial-of-service (DoS) condition that arises when the CSMS provider closes the original WebSocket connection when a new connection is established
Information theft that stems from keeping the two connections alive but returning responses to the “new” rogue connection, permitting the adversary to access the driver’s personal data, credit card details, and CSMS credentials.
The forging is made possible owing to the fact that CSMS providers are configured to solely rely on the charging point identity for authentication.
“Combining the mishandling of new connections with the weak OCPP authentication and chargers identities policy could lead to a vast Distributed DoS (DDoS) attack on the [Electric Vehicle Supply Equipment] network,” the researchers said.
EV Charging Station
OCPP 2.0.1 remediates the weak authentication policy by requiring charging point credentials, thereby closing out the loophole. That said, mitigations for when there are more than one connection from a single charging point should necessitate validating the connections by sending a ping or a heartbeat request, SaiFlow noted.
“If one of the connections is not responsive, the CSMS should eliminate it,” the researchers explained. “If both connections are responsive, the operator should be able to eliminate the malicious connection directly or via a CSMS-integrated cybersecurity module.”
Source; THN.
Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...
Comments
Post a Comment