Cybersecurity company Vest shows: charging card infrastructure for electric cars is susceptible to fraud
Recent research, conducted by Alexander van Ee and the Naarden-based cybersecurity company Vest, shows that the charging card infrastructure for electric cars can be manipulated in all kinds of ways. Things go wrong from the application process for a pass to using and paying for the service. These abuses are demonstrated in a clear video that was created in collaboration with Vest's research department. In this video, Van Ee takes you step by step through his findings.
Applying for a charging card
Applying for a charging card is easy to do via websites, Van Ee shows in the video. 'And there is no check for the accuracy of data, so several times I used a bank account number that did not belong to the applicant at all.'
Activating the pass
Although you must activate the pass according to the accompanying letter, it appears that this is not really necessary. With some of the requested passes, the car can be charged without the pass actually being activated.
Copying a charging card
The security on the small chip in the charging cards is minimal. Copying an existing pass turns out to be relatively simple. The security options available on the chip are not used.
Brute force attack
Based on statistics and the smart generation of pass numbers, this produces pass numbers that can be used after linking them to rewritable passes. "It could be that someone in Portugal, for example, suddenly sees on his invoice that he had a charging session in a random town in the Netherlands," van Ee jokes in the video. The range of card numbers used is so small that a usable card number can be found relatively quickly in the event of a brute force attack.
The final test checks at what point the user will pay. This appears to be after a minute of loading. A handy IT person also has an answer to this and the car could be 'flooded' relatively easily.
Charging cards and infrastructure
The approximately 20 random samples have shown that the same card manufacturer and type is used for the cards themselves and that they are applied in the same simple way within the charging card infrastructure. There are differences in the way in which a pass is applied for and the holder is verified (on a minimal basis). The shortcomings Vest identified in making payment for electric charging less susceptible to fraud appear to be a collective shortcoming. For this reason, attention is being drawn to collectively bringing this to a more reliable level for consumers.
Others have previously shown that there are shortcomings in the process and the applied charging card infrastructure for electric charging. We do not know how far these studies have gone and with whom exactly the results were shared.
Both Vest and Alexander van Ee have no interest whatsoever and did not do this research on assignment, but out of interest. Addressing the problems and contributing to the solution to prevent abuse is the goal. No one should run the risk of being unnecessarily duped.