Investigating the Security of EV Charging Mobile Applications as an Attack Surface
-
Published:2023-10-14
Issue:4
Volume:7
Page:1-28
-
ISSN:2378-962X
-
Container-title:ACM Transactions on Cyber-Physical Systems
-
language:en
-
Short-container-title:ACM Trans. Cyber-Phys. Syst.
Author:
Sarieddine Khaled1ORCID,
Sayed Mohammad Ali1ORCID,
Torabi Sadegh2ORCID,
Atallah Ribal3ORCID,
Assi Chadi1ORCID
Affiliation:
1. The Security Research Centre, Concordia University, Canada
2. Center for Secure Information Systems, George Mason University, USA
3. Hydro-Quebec Research Institute, Canada
Abstract
The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience and increase system flexibility, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this article, we study the security posture of the EV charging ecosystem against a new type of remote that exploits vulnerabilities in the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis was performed on 31 of the most widely used mobile applications including their interactions with various components such as cloud management systems. The attack scenarios that exploit these vulnerabilities were verified on a real-time co-simulation test bed. Our discoveries indicate the lack of user/vehicle verification and improper authorization for critical functions, which allow adversaries to remotely hijack charging sessions and launch attacks against the connected critical infrastructure. The attacks were demonstrated using the EVCS mobile applications showing the feasibility and the applicability of our attacks. Indeed, we discuss specific remote attack scenarios and their impact on EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant economical and operational implications. Finally, we propose countermeasures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts.
Funder
Concordia University/Hydro-Quebec/NSERC
Large-scale Integration of EVCSs into the Smart Grid: A Comprehensive Cyber-physical Study and Security Assessment
Publisher
Association for Computing Machinery (ACM)
Subject
Artificial Intelligence,Control and Optimization,Computer Networks and Communications,Hardware and Architecture,Human-Computer Interaction
Reference66 articles.
1. Helen Regan. 2020. China pledges to go carbon neutral by 2060. https://www.cnn.com/2020/09/22/china/xi-jinping-carbon-neutral-2060-intl-hnk/index.html
2. Linda Gyulai. 2020. Montreal’s climate plan includes ban on non-electric cars downtown by 2030. https://montrealgazette.com/news/local-news/montreal-releases-climate-plan-including-ban-on-non-electric-cars-downtown-by-2030
3. Charles Riley. 2021. Europe aims to kill gasoline and diesel cars by 2035. https://edition.cnn.com/2021/07/14/business/eu-emissions-climate-cars/index.html
4. Natural Resources Canada. 2021. Government of Canada. https://www.nrcan.gc.ca/energy-efficiency/transportation-alternative-fuels/zero-emission-vehicle-infrastructure-program/21876
5. Cybersecurity of Smart Electric Vehicle Charging: A Power Grid Perspective