Hey, everyone! I've been delving into TH-cam, focusing on storytelling and creative video-making. Recently stumbled upon VideoGPT, and it's been a total game-changer. My videos now have this professional quality that has really boosted my confidence.
In the USA, 99% of these chargers are in peoples garages locked away. The big security risk for most people is in their filing cabinet. Where is the median doing a piece on the filing cabinets?
If you steal a WiFi password you can emulate the WiFi network and implement a man in the middle attack. Are you a security consultant or penetration tester?
This is a general concern for IOT devices but this pen test company is dramatizing and creating unnecessary FUD. One can't connect to any EV charger (EVSE or DCFC) because one charger is compromised, unless the providers overall ecosystem itself is vulnerable.
The problem with that statement is the assumption the network is not vulnerable. Often we rely on the overall networks security to protect against low level fruit like this, but in truth and as seen in recent cyber attacks, many industries previously thought impenetrable have been hacked. In addition, highly targeted attacks against individuals do take place globally, any vulnerability, even one which affects a single individual, is a danger to all.
Well, if the manufacturer of the charger failed to add proper authentication to their APIs and the devices can be addressed through their sequential serial number, then any one can register an account and use those credentials to control all the chargers whose serial number they can guess. Of course the API should check that the charger the user tries to control belongs to the user but apparently that used not to be the case. Instead, they relied on the UI which only shows the user their own chargers but thats fairly trivial to bypass by using the same APIs the app uses.
Wht they're calling 'chargers' is a misnomer. The charger is built into the car. The box on the side of your house is a power outlet. It makes power available to the on-board charger but the current drawn is determined by the on-board charger.
Raspberry Pi was originally set up as a school educational thing to help kids get into hardware and coding. I can't believe that some professional electronics designers haven't moved on from school level electronics class.
They are. They just recommend using the CM4 instead of CM3. Tons of commercial products use Pis. There's an entire "for industry" page on the Pi website
Stating a Pi is not for commercial use is quite dense. A Pi Compute Module is designed for development, but commercial breadboards and development boards use Pi as a headless computer to IO interface all the time instead of adding serial ports to bigger computers or replacing them all together.
I wrote a paper on this last semester. The scary thing is that the weakest point on the grid changes depending on the time of the day / usage. If an attacker times everything right, then they can take down a small piece of the grid that could cascade to the larger system with a minimal amount of EV chargers (or smart thermostats). There are safe-guards against cascading failures, but they aren't designed for this type of attack.
In the uk the regulation requires that charge start and stop times have a randomised offset which is controlled in firmware not accessible to update or change.
You'd need far too many EVs for that to be an issue, and they'd have to be plugged in. The majority of chargers are in garages. Maybe thermostats, but most houses use gas heating. If you could gain remote access to every EV charger, you could pull it off, but that's like saying if you could get inside a vault you could perform a heist. It's not practical.
@@randomblock1_ said _"It's not practical."_ Does it need to be? Was the attack on the Iranian nuclear plant practical? I doubt when Putin says "Hack that network" that his hackers respond _"But that isn't really practical sir."_
If you wrote a paper on this, than you can answer to me this simple question. if we have a small country for example avg 5gw daily peak, how many charger will have to be turned on to bring down the network?
You missing the point.. They are connect to the power grid and they could take everyone down. Doesn't matter who the maker is. One weak company puts everyone at risk. Just like one lazy coworker opening an email put the company at risk..
@@CornelleJ That is not true at all. This video has no evidence. They did not show how it can be hacked. They only removed an rpi compute module from a box. but did they show the data is not encrypted on the box? Did they link any company announcement? Did they show any link to the vulnerability database? Also the video did not say how they can be used to bring down the network. The study is not linked.
@@buscseik Rewatch the video, they said the first 1 had 2 Vulnerabilities. Wallbox, hardware bug. 2nd was a remote attack. (smart phone attack), then Project EV had issue because of SN# for Creds.
@@CornelleJ Vulnerabilities has a public database. if this video would be true, these would be listed there, so the video could link them. Just for example, they made a screenshot of a study in the video published by IEEE. I checked if I can find the study on the IEEE website, but it is not there. Only two match, non of them were valid (one is a public file storing system, other is a website which signed by letsencrypt, which means, the site owner did not have to present id card or bank card to anyone to get the certificate, even a hacker could do that)
I like this reporting, but I feel it's a bit sensationalist. Cybersecurity research companies are paid to painstakingly find any and all loose threads with security and envision a worst-case scenario. I feel that's the only side of this represented in this story. While I'm sure they can be better, there are already safeguards in place against many of these issues (multi-factor authentication, car-key security, the ability to make your charger 'dumb' if it's in a public access area, etc). I guess it's technically possible, but the reality of a power-grid surge where a bunch of hackers physically individually popping the cover on a massive number of EV's, steal the log-in data, then later log into all of those accounts simultaneously and telling the cars to charge is pretty remote, right? Also, aren't most cars already charging when plugged in?
And there are methods to bypass 2fa and car security. Also other countries have had attacks on their power grid. It’s not unheard of. Doesn’t have to be a hacker but a state actor as well. But it’s definitely sensationalist.
I am not a security expert, just a home user/engineer and these flaws they are pointing out are class A negligence! None of these products should have made it to a customer
I think the point is that there are no standards keeping companies to a bare minimum of security. How many consumers do you know that search for security vulnerabilities before buying a product? I'm regularly telling friends and family about security holes and can't get them to check ahead of time. How diligent is the general public? And given that's their target audience, how diligent do you think companies are about security and safety when they need to get those numbers up for the next quarterly report?
@@LabGecko Just look at how many products claim to be "smart" Look at how easy it is to be a high paid idiot in marketing vs how hard it is to be an engineer producing products they are then responsible for. Instead of just paying the least amount for the highest review rating, we need to start looking at every product and ask, "is this working FOR me or AGAINST me??? Is turning my appliance on from anywhere in the world really worth exposing myself to hackers from anywhere in the world????
Yeah, the verbiage was a bit over the top. But the scenario is real enough. There are plenty of nation states paying big money for attacks on grids. Browse Darknet Diaries if you need examples.
I wrote up a compliance landscape for one of the top global auto manufacturers. There are real examples of hackers holding the company for ransom threatening DDOS. Threats included disabling security features (locks, adaptive cruise control, air bags, abs...), hacking personal information of connected devices, and disrupting recharging infrastructure. I warned them that there needs to be a clear divide between vehicle operating systems and infotainment.
I left the cybersecurity industry because I was tired of warning the C-suite and seeing deliberately negligent responses. If they want to answer to Congress, that’s their business. Not mine.
DDoS is totally irrelevant to this. That can be mitigated by a middleman like Cloudflare, and certainly doesn't matter in the context of hardware vulnerabilities.
Raspberry Pi OS is as good as any mainstream linux server in terms of security. The "problem" is the ability to easily remove and modify the compute module. That is not a serious attack vector as it requires prior physical access to each and every target device. This is not going to happen.
I like how they push the responsibility on the users instead working out the bugs before releasing a product. like my folks in their 70's and 80's are going to have a clue, my dad doesn't even have a smart phone.
Is nobody asking why a vehicle charger even needs to contain sensitive data? Lock it with a physical key like your front door and the only thing it needs to know is the state of your battery and charge until the desired level.
Because many people are stupid. Older tech is usually better and for some reason, people feel a need to "upgrade" everything. Our locks at my apartments were "upgraded" from lock and key to digital cards. It gives the landlord more info, but the batteries need to be replaced yearly (six AA batteries per lock) and I wonder about security. The old locks and keys worked 100% of the time.
@@Djamonja not really, anything that connects to your home network and is outside your house is fairly susceptible to these sort of attacks. Gaining access to your wifi password is pretty pointless for pretty much any malicious actor anyway considering they actually need to be outside your house. And the bank details part is pure fear mongering because of https.
It's mind blowing that these industries continue to release infrastructure systems that aren't meeting the same standards that the IT industry does. It's getting better, but way to slowly and oversight is still sketchy.
EVERY Security Expert and Veteran Internet user will advise the same thing: Keep Stuff as Dumb as possible. If there's NO need to connect to the internet... DON'T. Right now, people are happily connecting their TVs, Toasters, Ovens, Doorbells, Security Cameras, Window Blinds, and even Faucets (among other things) to the Internet. These IoT (Internet of Things) are a Security Nightmare if not configured correctly AND Isolated properly from the Home Network. People today are essentially offering MULTIPLE pathways to digital intruders. As far as EVs are concerned... Manufacturers MUST keep systems Isolated. The Charging Tech must be separated from Infotainment.
China's 🇨🇳 "national security" laws require companies, including BYD, *to assist with intelligence gathering.* - The Chinese government basically knows who is driving, and they can remotely control your car brake system from Beijing.
That's not true. The National Intelligence Law indeed forces any private organisation to provide the PRC government with any information they demand, but that doesn't mean that the companies need to create the capabilities to control every aspect of the products they provide. I doubt that many car manufacturers can be bothered to connect the brakes in the manner you purport.
It is true actually. In many areas of China, Teslas have been banned because they pose a security risk to the Chinese gov. It's discussed in a lot of detail on the serpentza channel.
You can recharge an electric car without any of these security risks. When I had one, all I had to do was plug it into the power socket. A meter on the dashboard showed my charge status. The car never overcharged. I could set it and forget it until the charge was finished. If you want to have remote access to what your car's computer data, it is better to use a cellular connection on your phone to the car. Wi-Fi was never meant to be safe. Just a different way to connect things together. There is nothing safe about using Wi-Fi.
Imagine someone hacking a plane you fly in? Why don't you express worry about that? Because you know the companies flying have every incentive to make that as difficult as possible. Cars are no different.
@@lawrencefrost9063 they aim laser pointers at planes and try to dazzle the pilot. In China people are aiming the lasers at the cameras controlling the car. It blinds autonomous vehicles. This is why LiDAR is extensively used.
As someone who works with self driving cars. The amount of stuff you would need to do in order to hack it and gain control would be pointless. You could only move 3mph for a few feet.
The only way to make any of this better, is for people to stop connecting literally everything in their lives to centralised servers. Most of which have fundamental security flaws, and all of which will always have flaws of some kind.
This typical of new systems. The priority is to implement the new system fast, with little regard to the intrinsic security! Remember the early days of the Internet !
The study which was presented(but not linked) states, the chargers are not monitored by utility companies. That is not true. At least in Europe all installed ev charger supports open ADR, which provides control for utility providers.
And it is quite funny that all these companies say they value security, but yet they fail horribly and fall flat on their face using the same old repeated mistakes! It is 2024, how are you even able to access these devices based on serial number? Some doofus made a quick implementation and it was deployed without anybody checking if the password to the device was ON the device? Wow.
This is why I went for a commando socket and "portable" charger; the change from stand-alone wall chargers to Internet of Everything was never going to go well; people learned nothing from the issues with early electricity Smart meters. When I brought up the issues of being remotely shutdown when using an internet connected charger - people called me an idiot; people STILL call me an idiot - because news of these hacks isnt widespread and is never mentioned on the big TV news channels. For example, even though I follow a lot of tech news, I had no idea Ukrainian EV chargers were hacked and shut down at the start of the Russian genocide.
Isn’t completely wrong, but as always the legacy media with their lack of knowledge in everything picked an “experts” to help them on a topic without fact checking, this has to be one for the cheapest and worst chargers out there, get him to hack some of the prenium chargers, not that it’s imposible, but want to see him do it.
This isn't surprising - criminals have been skimming gas pumps by opening them up for decades, not surprising some EV chargers are vulnerable to unauthorized modifications too.
This homemade charging unit is unheard of and this video is FUD. Cars must first request power from the charging unit before the handshake can begin. A car can only charge to the limit it has set by the driver and secondary the cars battery management system. If a car senses current coming from the charger without requesting it; the car will show a “could not charge” or similar message.
“The Raspberry Pi is not really for a commercial product like this” 🤦♂️The compute modules are *LITERALLY* designed for this exact purpose! That’s why they exist.
The fact that it’s not standard to put all of these IOT devices on their own network at this point is quite sad. All routers should really come with an “IOT” network, a “guest” network, and a “trusted” network.
Yeah, get the updates, but if the company makes hundreds of models of devices it will forget the "old" ones very soon. And if the source code of the devices is closed because they want the moneys then no one can update it, even if the company closes
Getting a bit tired of the EV issues. I don't have one nor want one, but I'll have to pay a price. Hacked power grids, taxes increasing, insurance increasing, electricity costs going up, vehicles going up in flames, fire department needing new tech to combat the fires, people possibly stealing my data or electricity. Thanks but no thanks. Please figure out how to put all of that on the adopters, not me.
For what humanly crazy reason does a car Charger need Internet Service? Because what becomes a very blaring issue - the greatest problem is the unnecessary services to recharge a battery! Not because of needs or requirements - but because they can! Making your own monsters to ensure your services stay in constant demand - poison's the whole pool!
Vulnerabilities have continued to show up, and be swatted, by all companies involved. It's getting better, but there should have been minimum standards in place instead of this _"we'll fix it when someone finds a way in"_ mentality.
Assumes everyone uses the same model of charger AND some dude goes and has physical access to half the citys chargers without getting caught. Then being able to figure out how to remotely control every device and account. Yeah, never happening.
@WSJ 2:09 - The highlighted section where it says 'not recommended for new designs' (NRND) -- That's talking about sourcing/availability. It basically means they're getting ready to take that particular part out of production. It doesn't refer to the suitability for a particular application. I still agree with the overall argument that RPI's are unsuitable for this application though.
Addressing these cybersecurity challenges is key to ensuring the reliability and safety of our growing EV infrastructure. It's a call to action for all stakeholders in the technology ecosystem.
This is why good network security is a good idea, Also props to Porsche offering PLC comms on their Connect products. VAG and other people please don’t go all wireless.
Chinese 🇨🇳 high-tech companies, including car maker BYD, are extensions of the Chinese government. - How do I know this? Chinese "national security" laws say so!
I’m running the one bought from Aliexpress China for 150usd with no wifi and set charging time to be on only during of peak from my car for a year with no issue😊 Cheap with no fancy option to be compromised😊 Charger can fire from 2.2kw up to 7kw though the RFID key to tap to start to stop the charger can be compromise but still there can not charg if my car say otherwise.
The simple solution is to not add remote connectivity to devices that don't need it. A charger just needs to provide power. Let the car handle the rest.
5:25 is hilarious considering millions of hot water kettles and “tea time.” “so the power grid is designed to work at a relatively steady state and you have a big problem if you have huge like surge in demand or a huge dip in demand and either of these could be caused by a coordinated set of EVs all of a sudden charging or not charging.” Most EVs left plugged are either already charging or fully charged and people would notice if they stopped charging ahead of an attack. This would be a subset of a subset of a subset of a subset of EV owners who happen to have their cars plugged in. Also, most home EVSEs let anyone use them, same as an extension cord or a light switch. The authorization issue is more a concern for public installations.
you don't realize how easy it is to bring down a power grid as once you bring down enough portions of the grid the rest has to shutdown due to the grid going out of frequency to prevent damage to important power grid equipment yes its that easy welcome to the world of running a machine that's hundred if not thousands of miles wide
@@KILLKING110 As demonstrated since I’m aware of the tea time engineering issue, I *do* realize. You won’t be taking out any part of the grid with a minor EVSE exploit like this. Exploiting an IOT clothes dryer would be more impactful by far. Most private EVSEs are the portable kind included with their EV. Of those that have permanent installations (not just a socket), most don’t have any fancy scheduling, Internet connectivity, or authentication of any kind (just a fancy extension cord). Of those who have an IOT EVSE, only a portion have this brand. Of those only a portion have this model. Of those only a portion have exploitable firmware. Of those only a portion will be at home. Of those only a portion will be plugged in. Of those only a portion won’t be charging or charged. Of those standing by only a portion would be oblivious to the uncommanded charge or delay.
I am impressed by the level of security incompetence by the presented equipment developers in light of what we have learned over the past 30 years. This failure is how we get more government regulation and put the lie to comments from industry that "security is a primary concern". Best advice, do not unnecessarily connect to the Internet.
Misleading title: Title says "Easy to hack ev xhargers. This is about ONE type of EV charger, poorly designed. Not all EV chargers can be easily hacked.
I have a LOT of issues with these company responses to these issues. 1) "We take security issues seriously" Come off as gaslighting and suspect when the issues identified are very simple to identify. They 'chose' not to worry about it until it was challenged. 2) "The user needs to take some responsibility". I disagree in most cases. Must customer's don't understand anything about any of these vulnerabilities and it should never bee the responsibility of the consumer to make sure the products they purchase are secure, or updated.
This is a bit far fetched, that raspberry pi compute module will save tons of e waste over a custom pcb. It’s like they are looking for flaws that aren’t really flaws.
IoT is a disaster waiting to happen. Using hobbyist toys makes it even worse and I don't get what has Raspberry got to do wit it, it's like blaming Lego if a building made of its blocks came crashing down.
Way too many thing are internet connected. And too much faith is put in the producers of new technologies that they can anticipate and prepare for adverse circumstances.
It’s these instances that require actual intervention from government powers to hold corporations accountable… you simply cannot trust them to operate on a level that is without thorough scrutiny and testing with their endless pursuit of limitless growth.
A simple soution , no wireless connectivity ... Its a battery charger just go look at it and stop being lazy . Its worth the walk for security and privacy.
Why should Raspberry Pi response to your question? This is like, you questioning knife company, because their knife used as murder weapon, on the other side of the world.
even more reasons why I use a dumb EVSE that's nothing more than a glorified extension cord. No wifi, no storage, no connectivity, nothing stored. That's what the car is for.
i liked life 30 years ago, it was simpler yet we still had all the tools to enjoy life. every day wasn't a call to arms or watching a walking corpse ruin our country with an astronomical debt.
Connecting the internet to everything is a terrible idea. People are bugging their own houses willingly due to ignorance.
a tinder box with a smart ignition, all snug in your house, seems like a great idea
People buy super expensive smart locks, with a special anti picking cylinder, but then as it has a solenoid you can open it with a strong magnet 😂
Hey, everyone! I've been delving into TH-cam, focusing on storytelling and creative video-making. Recently stumbled upon VideoGPT, and it's been a total game-changer. My videos now have this professional quality that has really boosted my confidence.
Hasn’t anyone seen maximum overdrive!?!
Yes, it's obsurd to have most of these things on the network.
"Unconnected and dumb" is the best advice I have heard lately!
No Network Connection is how vast majority of Level 2 AC charger operate. They simply don't need a network connection.
It’s really not - why stop there? Throw your laptop away, don’t use a mobile phone, shun the internet. Their cure has become worse than the disease.
Stealing a Wi-Fi password does not give you a bank password. Bank passwords are also E2E encrypted. No need to exaggerate.
In the USA, 99% of these chargers are in peoples garages locked away. The big security risk for most people is in their filing cabinet. Where is the median doing a piece on the filing cabinets?
If you steal a WiFi password you can emulate the WiFi network and implement a man in the middle attack. Are you a security consultant or penetration tester?
@@Kx0195that doesnt really matter, pretty much all connections like that are over TLS.
And you dont need to steal a wifi pass to impersonate a wifi network and do mitm.
@@Kx0195I am and the mod is correct
This is a general concern for IOT devices but this pen test company is dramatizing and creating unnecessary FUD. One can't connect to any EV charger (EVSE or DCFC) because one charger is compromised, unless the providers overall ecosystem itself is vulnerable.
yeah those were my exact thoughts
The problem with that statement is the assumption the network is not vulnerable. Often we rely on the overall networks security to protect against low level fruit like this, but in truth and as seen in recent cyber attacks, many industries previously thought impenetrable have been hacked. In addition, highly targeted attacks against individuals do take place globally, any vulnerability, even one which affects a single individual, is a danger to all.
@@jacobp8294 Network vulnerability is a general concern (with any connected device/service) which I already mentioned.
I like how using a rPi is a “bug” just because it’s an open platform. What do they think about OpenEVSE?!
Well, if the manufacturer of the charger failed to add proper authentication to their APIs and the devices can be addressed through their sequential serial number, then any one can register an account and use those credentials to control all the chargers whose serial number they can guess. Of course the API should check that the charger the user tries to control belongs to the user but apparently that used not to be the case. Instead, they relied on the UI which only shows the user their own chargers but thats fairly trivial to bypass by using the same APIs the app uses.
Wht they're calling 'chargers' is a misnomer. The charger is built into the car. The box on the side of your house is a power outlet. It makes power available to the on-board charger but the current drawn is determined by the on-board charger.
I like how they tried questioning raspberry pi when they clearly stated it's not for commercial use
Raspberry Pi was originally set up as a school educational thing to help kids get into hardware and coding.
I can't believe that some professional electronics designers haven't moved on from school level electronics class.
It's just laziness
Some of the Raspberry Pi units are intended for use as a component in a production device.
They are. They just recommend using the CM4 instead of CM3. Tons of commercial products use Pis. There's an entire "for industry" page on the Pi website
Stating a Pi is not for commercial use is quite dense. A Pi Compute Module is designed for development, but commercial breadboards and development boards use Pi as a headless computer to IO interface all the time instead of adding serial ports to bigger computers or replacing them all together.
I wrote a paper on this last semester. The scary thing is that the weakest point on the grid changes depending on the time of the day / usage. If an attacker times everything right, then they can take down a small piece of the grid that could cascade to the larger system with a minimal amount of EV chargers (or smart thermostats). There are safe-guards against cascading failures, but they aren't designed for this type of attack.
In the uk the regulation requires that charge start and stop times have a randomised offset which is controlled in firmware not accessible to update or change.
You'd need far too many EVs for that to be an issue, and they'd have to be plugged in. The majority of chargers are in garages. Maybe thermostats, but most houses use gas heating. If you could gain remote access to every EV charger, you could pull it off, but that's like saying if you could get inside a vault you could perform a heist. It's not practical.
@@randomblock1_ said _"It's not practical."_
Does it need to be? Was the attack on the Iranian nuclear plant practical? I doubt when Putin says "Hack that network" that his hackers respond _"But that isn't really practical sir."_
@@LabGeckoThe point is that it would take decades to do all that hacking. And by then the first chargers would have been replaced.
If you wrote a paper on this, than you can answer to me this simple question. if we have a small country for example avg 5gw daily peak, how many charger will have to be turned on to bring down the network?
I'm an electrical engineer. This guy obviously picked the cheapest, most armature charging box on the market. Have him try it on a Tesla charger.
Yup was coming to say the same lol
You missing the point.. They are connect to the power grid and they could take everyone down. Doesn't matter who the maker is. One weak company puts everyone at risk. Just like one lazy coworker opening an email put the company at risk..
@@CornelleJ That is not true at all. This video has no evidence. They did not show how it can be hacked. They only removed an rpi compute module from a box. but did they show the data is not encrypted on the box? Did they link any company announcement? Did they show any link to the vulnerability database? Also the video did not say how they can be used to bring down the network. The study is not linked.
@@buscseik Rewatch the video, they said the first 1 had 2 Vulnerabilities. Wallbox, hardware bug. 2nd was a remote attack. (smart phone attack), then Project EV had issue because of SN# for Creds.
@@CornelleJ Vulnerabilities has a public database. if this video would be true, these would be listed there, so the video could link them. Just for example, they made a screenshot of a study in the video published by IEEE. I checked if I can find the study on the IEEE website, but it is not there. Only two match, non of them were valid (one is a public file storing system, other is a website which signed by letsencrypt, which means, the site owner did not have to present id card or bank card to anyone to get the certificate, even a hacker could do that)
I like this reporting, but I feel it's a bit sensationalist. Cybersecurity research companies are paid to painstakingly find any and all loose threads with security and envision a worst-case scenario. I feel that's the only side of this represented in this story. While I'm sure they can be better, there are already safeguards in place against many of these issues (multi-factor authentication, car-key security, the ability to make your charger 'dumb' if it's in a public access area, etc). I guess it's technically possible, but the reality of a power-grid surge where a bunch of hackers physically individually popping the cover on a massive number of EV's, steal the log-in data, then later log into all of those accounts simultaneously and telling the cars to charge is pretty remote, right? Also, aren't most cars already charging when plugged in?
And there are methods to bypass 2fa and car security. Also other countries have had attacks on their power grid. It’s not unheard of. Doesn’t have to be a hacker but a state actor as well. But it’s definitely sensationalist.
I am not a security expert, just a home user/engineer and these flaws they are pointing out are class A negligence! None of these products should have made it to a customer
Also, everyone forget there are fuses everywhere in the electricity network :)
I think the point is that there are no standards keeping companies to a bare minimum of security. How many consumers do you know that search for security vulnerabilities before buying a product? I'm regularly telling friends and family about security holes and can't get them to check ahead of time. How diligent is the general public? And given that's their target audience, how diligent do you think companies are about security and safety when they need to get those numbers up for the next quarterly report?
@@LabGecko Just look at how many products claim to be "smart"
Look at how easy it is to be a high paid idiot in marketing vs how hard it is to be an engineer producing products they are then responsible for.
Instead of just paying the least amount for the highest review rating, we need to start looking at every product and ask, "is this working FOR me or AGAINST me???
Is turning my appliance on from anywhere in the world really worth exposing myself to hackers from anywhere in the world????
Fear, uncertainty, and doubt.
We’ve just been fudded: “we’ve created weapons” 😬
Yeah, the verbiage was a bit over the top. But the scenario is real enough. There are plenty of nation states paying big money for attacks on grids. Browse Darknet Diaries if you need examples.
I wrote up a compliance landscape for one of the top global auto manufacturers. There are real examples of hackers holding the company for ransom threatening DDOS. Threats included disabling security features (locks, adaptive cruise control, air bags, abs...), hacking personal information of connected devices, and disrupting recharging infrastructure. I warned them that there needs to be a clear divide between vehicle operating systems and infotainment.
I left the cybersecurity industry because I was tired of warning the C-suite and seeing deliberately negligent responses.
If they want to answer to Congress, that’s their business. Not mine.
DDoS is totally irrelevant to this. That can be mitigated by a middleman like Cloudflare, and certainly doesn't matter in the context of hardware vulnerabilities.
Showing the companies do not take cybersecurity seriously and then repeating their statement that they take cybersecurity seriously?
They are legally required to give the company's response. Not doing so gets the journalism company sued.
Raspberry Pi?? This is babytown frollics as far as hackers are concerned.
almost like its a weapon from china
Raspberry Pi OS is as good as any mainstream linux server in terms of security. The "problem" is the ability to easily remove and modify the compute module. That is not a serious attack vector as it requires prior physical access to each and every target device. This is not going to happen.
Talking to anyone in pentest world will scare you. And it should actually.
I like how they push the responsibility on the users instead working out the bugs before releasing a product. like my folks in their 70's and 80's are going to have a clue, my dad doesn't even have a smart phone.
Is nobody asking why a vehicle charger even needs to contain sensitive data? Lock it with a physical key like your front door and the only thing it needs to know is the state of your battery and charge until the desired level.
because it doesn't contain sensitive data. it's just your wifi password
@@SegFaultOnLine1984 Isn't your wifi password fairly sensitive data?
Because many people are stupid. Older tech is usually better and for some reason, people feel a need to "upgrade" everything. Our locks at my apartments were "upgraded" from lock and key to digital cards. It gives the landlord more info, but the batteries need to be replaced yearly (six AA batteries per lock) and I wonder about security. The old locks and keys worked 100% of the time.
@@Djamonja not really, anything that connects to your home network and is outside your house is fairly susceptible to these sort of attacks. Gaining access to your wifi password is pretty pointless for pretty much any malicious actor anyway considering they actually need to be outside your house. And the bank details part is pure fear mongering because of https.
@@SegFaultOnLine1984 Once they have your Wifi password, can't they sit in a car near your house and access your network?
It's mind blowing that these industries continue to release infrastructure systems that aren't meeting the same standards that the IT industry does. It's getting better, but way to slowly and oversight is still sketchy.
EVERY Security Expert and Veteran Internet user will advise the same thing: Keep Stuff as Dumb as possible.
If there's NO need to connect to the internet... DON'T.
Right now, people are happily connecting their TVs, Toasters, Ovens, Doorbells, Security Cameras, Window Blinds, and even Faucets (among other things) to the Internet. These IoT (Internet of Things) are a Security Nightmare if not configured correctly AND Isolated properly from the Home Network.
People today are essentially offering MULTIPLE pathways to digital intruders.
As far as EVs are concerned... Manufacturers MUST keep systems Isolated. The Charging Tech must be separated from Infotainment.
Facebook is already here bro
Yet, this simply won't occur. People shall use IoT devices. That's not a solution.
In the UK there is dynamic pricing for ev charging, needs a network connection
Until it's illegal to sell customer data this will remain a base corporate business model.
Never trust someone who opens with "suppose we're the good guys"
China's 🇨🇳 "national security" laws require companies, including BYD, *to assist with intelligence gathering.*
- The Chinese government basically knows who is driving, and they can remotely control your car brake system from Beijing.
That's not true. The National Intelligence Law indeed forces any private organisation to provide the PRC government with any information they demand, but that doesn't mean that the companies need to create the capabilities to control every aspect of the products they provide. I doubt that many car manufacturers can be bothered to connect the brakes in the manner you purport.
It is true actually.
In many areas of China, Teslas have been banned because they pose a security risk to the Chinese gov. It's discussed in a lot of detail on the serpentza channel.
@@RokeJulianLockhart.s13ouq Every major Chinese company has a party representative sitting in each company building. I doubt he's just there for show.
@@LabGecko Where'd you learn that from?
You can recharge an electric car without any of these security risks. When I had one, all I had to do was plug it into the power socket. A meter on the dashboard showed my charge status. The car never overcharged. I could set it and forget it until the charge was finished. If you want to have remote access to what your car's computer data, it is better to use a cellular connection on your phone to the car. Wi-Fi was never meant to be safe. Just a different way to connect things together. There is nothing safe about using Wi-Fi.
Wi-Fi is designed to be somewhat safe... but it doesn't make bad designs good
You think cellular is safer?
imagine someone hacking self driving cars💀
Imagine someone hacking a plane you fly in? Why don't you express worry about that? Because you know the companies flying have every incentive to make that as difficult as possible. Cars are no different.
@@lawrencefrost9063 they aim laser pointers at planes and try to dazzle the pilot. In China people are aiming the lasers at the cameras controlling the car. It blinds autonomous vehicles. This is why LiDAR is extensively used.
As someone who works with self driving cars. The amount of stuff you would need to do in order to hack it and gain control would be pointless. You could only move 3mph for a few feet.
@@OneManOnFire absolutely, if someone is intent on causing problems then either stopping it physically or make it veer off course would be the option.
@@OneManOnFire buddy my point was that even if its to hard but few feets could cause series of serious accidents on certain scenarios
The only way to make any of this better, is for people to stop connecting literally everything in their lives to centralised servers. Most of which have fundamental security flaws, and all of which will always have flaws of some kind.
I don't understand why IOT device manufacturers insist on cloud first connection and not local connections for things.
@@Sparky400 So they can revoke your access whenever they feel like
Connecting and selling data is a base business model for most companies today
This typical of new systems. The priority is to implement the new system fast, with little regard to the intrinsic security!
Remember the early days of the Internet !
No, just having your wifi password doesn't let attackers intercept your passwords. Everything is encrypted nowadays.
Someone has lied to you 😆
@@LabGecko what do you mean?
5:16 overheat an EV battery???
Ate you crazy???
EVSE have no controll over EV cooling system.
I was wondering the same. Its not even a charger but a poweroutlet.
The study which was presented(but not linked) states, the chargers are not monitored by utility companies. That is not true. At least in Europe all installed ev charger supports open ADR, which provides control for utility providers.
hyundai KIA can be stolen by 10 years old kids with USB cable.
It would be one car I'm not trying to find
They also need a screwdriver to pop the panel open to access the ignition switch.
By design lol
The security of the Raspberry had nothing to do with it, this should have never been deployed like this!
And it is quite funny that all these companies say they value security, but yet they fail horribly and fall flat on their face using the same old repeated mistakes!
It is 2024, how are you even able to access these devices based on serial number? Some doofus made a quick implementation and it was deployed without anybody checking if the password to the device was ON the device?
Wow.
With hacking cars, that reminds me of Watch Dogs 2 where you could do the exact same thing
en.wikipedia.org/wiki/Michael_Hastings_(journalist)#Controversy_over_alleged_foul_play
No one is hacking cars. This is just WSJ bs
@@robertjamesonmusic I mean, if a vehicle has to rely on smart technology, that kind of tech could possibly be tapped into
Somebody on bbc news not having the word watchdogs
"we take security very seriously " Whispers * as long as it doesnt affect out profit margins *
The best way to stop the bad guys is to think like a bad guy.
the just use a : Raspberry Pi Compute Module 3 (CM3) : and the put a sticker on the Raspberry logo 🤣🤣🤣
The fact toothbrushes were used for a DDOS attack should have been one of many more recent wakup calls.
This is why I went for a commando socket and "portable" charger; the change from stand-alone wall chargers to Internet of Everything was never going to go well; people learned nothing from the issues with early electricity Smart meters.
When I brought up the issues of being remotely shutdown when using an internet connected charger - people called me an idiot; people STILL call me an idiot - because news of these hacks isnt widespread and is never mentioned on the big TV news channels.
For example, even though I follow a lot of tech news, I had no idea Ukrainian EV chargers were hacked and shut down at the start of the Russian genocide.
Isn’t completely wrong, but as always the legacy media with their lack of knowledge in everything picked an “experts” to help them on a topic without fact checking, this has to be one for the cheapest and worst chargers out there, get him to hack some of the prenium chargers, not that it’s imposible, but want to see him do it.
Just lock the device behind a metal cage xD
someone never heard of lock picking lawyer
@@SgtJoeSmithsomeone’s never heard of cameras. If you have a Tesla you **most** likely have cameras
@@ItzAwsomeWasTaken but what if you are wearing black pants and black hoodie and black skin? you look like all the rest of them
But the warlock is your best sega nintendo player
@PenTestPartners: Could you perhaps also try a little bit of that whitehat hacking magic on the Boeing 373 Max?
This isn't surprising - criminals have been skimming gas pumps by opening them up for decades, not surprising some EV chargers are vulnerable to unauthorized modifications too.
This homemade charging unit is unheard of and this video is FUD.
Cars must first request power from the charging unit before the handshake can begin.
A car can only charge to the limit it has set by the driver and secondary the cars battery management system.
If a car senses current coming from the charger without requesting it; the car will show a “could not charge” or similar message.
Finally! Someone else who also knows how this works. 100% correct.
“The Raspberry Pi is not really for a commercial product like this” 🤦♂️The compute modules are *LITERALLY* designed for this exact purpose! That’s why they exist.
"Unconnected and dumb". My home appliances and my car goes dumb all the time and work perfect. No need to connect
super this type of content is needed
Words from a wise man: "I'd prefer to have them unconnected and dumb". The smarter your device, the more stupid you become.
If Wallbox took flaws so seriously, why did they rush to market with a cheap solution...
The fact that it’s not standard to put all of these IOT devices on their own network at this point is quite sad. All routers should really come with an “IOT” network, a “guest” network, and a “trusted” network.
Yeah, get the updates, but if the company makes hundreds of models of devices it will forget the "old" ones very soon. And if the source code of the devices is closed because they want the moneys then no one can update it, even if the company closes
The initial animation of power grid shutdown seems very familiar to me…. I m almost sure that shows São Paulo s most popular district 😂😂😂
air powered cars is the only way
Getting a bit tired of the EV issues. I don't have one nor want one, but I'll have to pay a price. Hacked power grids, taxes increasing, insurance increasing, electricity costs going up, vehicles going up in flames, fire department needing new tech to combat the fires, people possibly stealing my data or electricity. Thanks but no thanks. Please figure out how to put all of that on the adopters, not me.
Everybody should learn to ask politicians support for upkeep the things that matter to us.
For what humanly crazy reason does a car Charger need Internet Service? Because what becomes a very blaring issue - the greatest problem is the unnecessary services to recharge a battery! Not because of needs or requirements - but because they can! Making your own monsters to ensure your services stay in constant demand - poison's the whole pool!
Corporations make money selling user data to advertising. Connecting is a data source. Until it's illegal, they won't change.
@@LabGecko So predicated on ad revenue the entire backbone of a global technology/infrastructure has been subverted to being a cyber target buffet!
I'd like to see if other brands of chargers are this vulnerable, as Wallbox is a low-end charger.
Vulnerabilities have continued to show up, and be swatted, by all companies involved. It's getting better, but there should have been minimum standards in place instead of this _"we'll fix it when someone finds a way in"_ mentality.
Assumes everyone uses the same model of charger AND some dude goes and has physical access to half the citys chargers without getting caught. Then being able to figure out how to remotely control every device and account.
Yeah, never happening.
@WSJ 2:09 - The highlighted section where it says 'not recommended for new designs' (NRND) -- That's talking about sourcing/availability. It basically means they're getting ready to take that particular part out of production. It doesn't refer to the suitability for a particular application. I still agree with the overall argument that RPI's are unsuitable for this application though.
It would be much more secure if the charger electronics were inside the house and only an EV charger socket outside.
Addressing these cybersecurity challenges is key to ensuring the reliability and safety of our growing EV infrastructure. It's a call to action for all stakeholders in the technology ecosystem.
This is why good network security is a good idea, Also props to Porsche offering PLC comms on their Connect products. VAG and other people please don’t go all wireless.
The WSJ will do absolutley anything to protect it's advertising revenue dollars. Brought to you by big oil and the UAW.
guess I have to change my PW now...thanks WSJ
And that's why we need electric military vehicles.
Those Latest news about German Brigade
Chinese 🇨🇳 high-tech companies, including car maker BYD, are extensions of the Chinese government.
- How do I know this? Chinese "national security" laws say so!
1:37 - Why is _any_ user information stored on these chargers without encryption? This is software engineering 101...
Connectivity & Complacency = Catastrophe.
MOST Level 2 Chargers are OFFLINE anyways. They simply do not need a network connection.
basically you took someone's drive out? you can literally steal someone's laptop, punch a hole in it, take the ssd out and read all the information.
I’m running the one bought from Aliexpress China for 150usd with no wifi and set charging time to be on only during of peak from my car for a year with no issue😊 Cheap with no fancy option to be compromised😊 Charger can fire from 2.2kw up to 7kw though the RFID key to tap to start to stop the charger can be compromise but still there can not charg if my car say otherwise.
And just by using a "flipper" you can hack the RFID. D'oh!
The simple solution is to not add remote connectivity to devices that don't need it. A charger just needs to provide power. Let the car handle the rest.
Except in cases it is desirable to throttle the amount of power given to the car, for instance when you want to balance the grid.
This is what can happen when you connect everything to the internet
Yet vast majority of Level 2 AC chargers are NOT connected to the internet.
5:25 is hilarious considering millions of hot water kettles and “tea time.”
“so the power grid is designed to work at a relatively steady state and you have a big problem if you have huge like surge in demand or a huge dip in demand and either of these could be caused by a coordinated set of EVs all of a sudden charging or not charging.”
Most EVs left plugged are either already charging or fully charged and people would notice if they stopped charging ahead of an attack. This would be a subset of a subset of a subset of a subset of EV owners who happen to have their cars plugged in.
Also, most home EVSEs let anyone use them, same as an extension cord or a light switch. The authorization issue is more a concern for public installations.
you don't realize how easy it is to bring down a power grid as once you bring down enough portions of the grid the rest has to shutdown due to the grid going out of frequency to prevent damage to important power grid equipment yes its that easy welcome to the world of running a machine that's hundred if not thousands of miles wide
@@KILLKING110 As demonstrated since I’m aware of the tea time engineering issue, I *do* realize. You won’t be taking out any part of the grid with a minor EVSE exploit like this. Exploiting an IOT clothes dryer would be more impactful by far.
Most private EVSEs are the portable kind included with their EV. Of those that have permanent installations (not just a socket), most don’t have any fancy scheduling, Internet connectivity, or authentication of any kind (just a fancy extension cord). Of those who have an IOT EVSE, only a portion have this brand. Of those only a portion have this model. Of those only a portion have exploitable firmware. Of those only a portion will be at home. Of those only a portion will be plugged in. Of those only a portion won’t be charging or charged. Of those standing by only a portion would be oblivious to the uncommanded charge or delay.
I am impressed by the level of security incompetence by the presented equipment developers in light of what we have learned over the past 30 years. This failure is how we get more government regulation and put the lie to comments from industry that "security is a primary concern". Best advice, do not unnecessarily connect to the Internet.
Makes me wonder if wifi inverters for home use on a solar system can also be hacked. Most run through the household modem.
Misleading title: Title says "Easy to hack ev xhargers. This is about ONE type of EV charger, poorly designed. Not all EV chargers can be easily hacked.
Sensationalized for sure, but just soooo many rookie mistakes by companies rushing to get products to market.
If someone steals an IoT device from your home, you should change your Wi-Fi credentials. It doesn't matter what platform it uses.
Yep, my EVSE is electric delivery only, dumb wires.
No mention of gasaholeline pumps with the same vulnerabilities.
Fuel pumps aren’t connected to the vehicle in the same way. Also, no private owner has a fuel pump on the wall of their house 😉
@hughM9 fuel pumps / systems fail. It starts fires 280 k Xs a yr.
Most houses do have a fuel pump/ system wired into their furnace.
Hack the Planet! lol. Hackers movie reference
I have a LOT of issues with these company responses to these issues. 1) "We take security issues seriously" Come off as gaslighting and suspect when the issues identified are very simple to identify. They 'chose' not to worry about it until it was challenged. 2) "The user needs to take some responsibility". I disagree in most cases. Must customer's don't understand anything about any of these vulnerabilities and it should never bee the responsibility of the consumer to make sure the products they purchase are secure, or updated.
This is a bit far fetched, that raspberry pi compute module will save tons of e waste over a custom pcb. It’s like they are looking for flaws that aren’t really flaws.
is it though?
Indeed. The issues they're referring to are with the software, not hardware (except that the covers aren't locked).
The amount of e-waste created by using a custom PCB is essentially negligible. Did you ignore the board it's actually connected into?
@@Z0DI4CThat always depends upon the scale.
IoT is a disaster waiting to happen. Using hobbyist toys makes it even worse and I don't get what has Raspberry got to do wit it, it's like blaming Lego if a building made of its blocks came crashing down.
If that wasn't Pawel Czerwony words you won't know, but building technology is as so.
I’ve driven EVs. EVs need none of our data just like chargers.
This is ridiculous and a national security risk. Good job
C'mon people, do not give 2024 all these ideas! 😂😂😂
The advantage of the Chinese EVs and chargers is that there is no backdoor for hackers, as CCP has direct access to your data.
Correct.
Who it was was it Xiaomi to begin making cars?
This is a problem with the whole IOT.
Way too many thing are internet connected. And too much faith is put in the producers of new technologies that they can anticipate and prepare for adverse circumstances.
It’s these instances that require actual intervention from government powers to hold corporations accountable… you simply cannot trust them to operate on a level that is without thorough scrutiny and testing with their endless pursuit of limitless growth.
Raspberry pi organization is NOT responsible!
I bought a wired printer for a lot of reasons mentioned in this video
another tip to make it harder for your data to be stolen, create a separate network for the "smart" device
I'm sticking to good old gas gas gas
If my wallbox is "the power grid", then my router is "the internet".
A simple soution , no wireless connectivity ... Its a battery charger just go look at it and stop being lazy . Its worth the walk for security and privacy.
paranoia pure paranoia... the likelihood of this any of this happening slim very slim to none..
Why should Raspberry Pi response to your question?
This is like, you questioning knife company, because their knife used as murder weapon, on the other side of the world.
even more reasons why I use a dumb EVSE that's nothing more than a glorified extension cord. No wifi, no storage, no connectivity, nothing stored. That's what the car is for.
i liked life 30 years ago, it was simpler yet we still had all the tools to enjoy life. every day wasn't a call to arms or watching a walking corpse ruin our country with an astronomical debt.
Wow, WSJ is really reaching here. This was a problem with a specific EV charger that came out in 2018.
tell those guys that it's not individual persons responsibility to update the system, it should by default have auto update feature!
Dominion charging systems