[Interview] Dmitry Sklyar, Kaspersky Lab: ”Device security is the vendor’s responsibility, not that of a standard.”

The future of the automotive industry is mainly related to electric cars which have seen an exciting development over the last five years. The shift from classic to electric vehicles continues to gain momentum, and that’s because consumers show a stronger interest in buying an electric car.
According to the International Energy Agency (IEA) forecasts, the number of electric vehicles on the road will reach 125 million by 2030. When there’s a dynamically growing economic opportunity on this market, with a fierce competition from various manufacturers, there’s also a concern about security risks.

Today we are approaching the topic of cybersecurity for electric vehicles with our speaker, Dmitry Sklyar, Application Security Specialist at Kaspersky Lab.

In a few days, you’ll see Dmitry live on the DefCamp stage, with an engaging presentation titled: “We will charge you. How to [b]reach vendor’s network using EV charging station”, which is focused on the research of one of the EV chargers intended for Small Office Home Office (SOHO) usage.
As electric vehicles become widespread and likely to go mainstream, we wanted to know Dmitry’s perspective on the most significant security risks and safety concerns that are related to the use of electric vehicles.
Here what Dmitry believes:

The vehicle threat model, which has been discussed in the automotive industry for several years (by independent researchers, ENISA, etc.) stays almost entirely fuel agnostic. Whether it’s powered by gas or electricity, the numerous external interfaces of the vehicle – such as telematics, infotainment, and others, are the ‘doors’ to various in-vehicle domains, which – if hacked -, can influence safety, enable surveillance, or provide access to personally identifiable information (PII).

Electric vehicles bring one more attack vector to this model, as the charging port is also an interface for communication that could enable tracking, fraud or, in the worst-case scenarios, could damage vehicle components.

As the industry is only developing, even scenarios that decrease the reliability of the electric vehicle through the improper charging of Li-Ion batteries might significantly impact the reputation of electric vehicles.

Aside from the advantages of using electric vehicles (reducing emissions, money saving, very responsive), there’s also the ease of use.. These cars are often more digitally connected than traditional cars, with a growing number of charging stations that will make things easier for their owners.
But they can also be vulnerable to potential cyber attacks and charging providers need to apply all needed security measures to enhance protection for them.

Here’s what Dmitry has to say about this:

Charger providers are forming an infrastructure driven by a new market. The market has no value for security right now, as the players are all still vying for their share. Unfortunately, at the moment only strict regulations can bring some level of security, but this would contradict overall light regulations to boost alternative-energy projects.

To make a trustworthy statement on the overall security of charging stations, we’d need to be able to analyze more samples, and thus we won’t provide scoring at this time.

Nevertheless, we’d like to credit the vendor we worked with for their professional response and cooperation. The product covered in my talk had a very good foundation for security – with a modern stack of technologies – this makes it possible to address vulnerabilities quickly and introduce additional security mechanisms without significant architectural modifications.

But electric vehicles won’t be only cost-effective and more convenient for consumers to drive but also interconnected over an Internet network. This means an easier way for malicious actors to remotely access and compromise sensitive personal information.

Speaking of personal data, we reached out to Dmitry to see how he thinks electric car owners can be persuaded to pay more attention to the volume and types of information that their car shares with various providers and platforms.

A “default deny” approach should be used – meaning no PII (Personally Identifiable Information ) is gathered by default. Also, marketing trickery that encourages users to get more benefits by disclosing personal information should be addressed in regulations, as it’s very unclear how companies remonetize the data they gather.

Knowing Dmitry’s sphere of knowledge covers interesting topics like Industrial Control Systems, automotive devices, IoT devices, and many others, we are truly curious to know more details about his presentation at DefCamp.

Thus, we kindly asked Dmitry to share a bit about it and offer insights about EV charging infrastructure and its vulnerabilities.
What makes these charging stations a target for cybercriminals?

We will talk about one of the home charging stations with a remote controlling feature. So, there are no issues with payment cards, but other concerns still exist about this technology.

The remote control is achieved by a permanent data connection between the charging station and the remote back-end server. To establish the connection, an end user must set up Wi-Fi settings on the station via a smartphone application.

We researched a protocol that is used for communication with the server and found a way to spoof it. In addition, there is an HTTPS server, which is not used during normal station controlling but is available from a Wi-Fi network. We found some issues with its certificate chains, so it also can be accepted by an adversary, if he or she has access to the target Wi-Fi network.

I will also be disclosing information about multiple binary vulnerabilities, that can widen an adversary’s possibilities within a compromised system. By using all discovered issues, an adversary will be able to stop the charging process, and therefore leave the car uncharged, and adjust the maximum current that can be consumed while charging a car, which can cause damage to the whole electrical network.

If the above details made you curious to learn more, make sure you don’t miss Dmitry’s presentation at DefCamp#9!

At the very end, we had one last question for Dmitry which is related to the current data security standards and if these are enough to keep new car generations safe. What can be done to improve them?

The most well-known standard for the EV industry is OCPP (Open Charge Point Protocol), which defines the protocol used between a charging station and a management system. This April, the latest version of this protocol, OCPP 2.0, was published, and this is the first version where information security requirements are defined.

There are three security profiles introduced, and the strongest of them is called “TLS with Client Side Certificates”, which requires the use of the TLS protocol with mutual authentication. The previous version of the standard, OCPP 1.6, was commonly criticized for a lack of security, so OCPP 2.0 is a big step forward from this point of view.

There are still some uncovered details about certificate usage. To mitigate them, some sort of SSL certificate deployment recommendations should be included. The ones provided by ssllabs (https://github.com/ssllabs/research/wiki/SSL- and-TLS-Deployment-Best-Practices) can be a good example. But I would also like to note, that device security is the vendor’s responsibility, not that of a standard.

If this interview sparked an interest to dig deep about electric vehicles and how to secure them, you have to be at DefCamp#9, on November 8th and 9th and see all the talks.

Hope to see you there!

This interview was made by Ioana Rijnetu. You can get in touch with her on LinkedIn or say hello on Twitter.

DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD GROUP, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..