Wallbox and Project EV Chargers - BBC

All Volkswagen ID.3 related discussions
Post Reply
User avatar
Daveion
Posts: 881
Joined: Thu Jan 21, 2021 9:24 am
Location: South Essex RM15

Post by Daveion »

Did anyone catch the news item on the BBC about security of the Wallbox and Project EV chargers?
I have attached a link.

BBC News - Home car charger owners urged to install updates
https://www.bbc.co.uk/news/technology-58011014

Its not my area of knowledge. Whats the forum's concensus on the security risks? Is it being overstated?
Can you mitigate the risks?
Dave
1st EV Life Pro Performance sold 2022
Born v2-Tech L Pack
White, 19" Typhoon Wheels.
Collected June 22

Scratch
Posts: 1166
Joined: Thu Jul 15, 2021 3:22 pm

Post by Scratch »

I read about that today. I am going through the process of getting a charger installed and our electrician uses Wallbox. Might change it.
User avatar
Daveion
Posts: 881
Joined: Thu Jan 21, 2021 9:24 am
Location: South Essex RM15

Post by Daveion »

Scratch wrote: Sat Jul 31, 2021 3:28 pm I read about that today. I am going through the process of getting a charger installed and our electrician uses Wallbox. Might change it.
I have the Wallbox on order with Octopus but not too late to change.
1st EV Life Pro Performance sold 2022
Born v2-Tech L Pack
White, 19" Typhoon Wheels.
Collected June 22
Scratch
Posts: 1166
Joined: Thu Jul 15, 2021 3:22 pm

Post by Scratch »

Mind you, everything attached to the internet probably gets hacked at some time. They have supposedly fixed the issue, so maybe non-issue, although I think the article said there was also a hardware problem.
User avatar
Utumno
Posts: 1727
Joined: Sun Jul 04, 2021 12:34 am
Location: Oxfordshire

Post by Utumno »

Blog post from Hypervolt referring the BBC article

https://blog.hypervolt.co.uk/hackers/

I’d already shortlisted Hypervolt for my charger installation, but am otherwise unaffiliated.
Tesla Model Y Long Range
CANCELLED : ID.3 Tour (long story :lol:)

ID3 Build & Delivery Info Tracker : https://tinyurl.com/id3tracker
Octopus Referral : https://share.octopus.energy/aqua-foal-203
User avatar
Utumno
Posts: 1727
Joined: Sun Jul 04, 2021 12:34 am
Location: Oxfordshire

Post by Utumno »

And here's the Pen Test Partners report link I dug up :

https://www.pentestpartners.com/securit ... r-hackers/

Am reading in depth. While I'm no crypto coder, I commission and risk manage penetration tests all day long in my work.

[UPDATE]

* Facepalms all round for both Project EV and Wallbox, those API security issues are "clown shoes" moments. The Wallbox hardware issues look like the researchers don't consider the Pi secure enough for this kind of application due to its open/hobbyist nature, and that's a subjective view - they're not wrong, but equally whether a Pi is a bad thing or not in a charger depends very much on your point of view, your individual use case and your installation use case. While it would indeed be possible to extract the PSK from a Pi, a bad actor would need physical access to the charger and be able to access the board itself. In general if you have physical access to any hardware you can kiss goodbye to security on that device without considerable engineering resource - this is why law enforcement hates iPhones; they're designed to be secure even when in the hands of a bad actor.
* EVBox again earn themselves a privilege escalation facepalm, but again this is what white hat hackers do, and they were responsive.
There has clearly been a distinct lack of security assurance in the smart EV charger space
No shit.

I'm in full agreement there, though of the vendors looked at by PTP, EO and Hypervolt are the clear winners here despite EO leaving a port open giving local network users full access to the charger OS. Yes the Pi is a larger potential security vector than leveraging a commercial and "silicon" hardware-secured IoT platform, but it's not as simple as saying those chargers are insecure because of it. They've both clearly got secure enough infrastructure that PTP weren't concerned about network issues, only about physical security issues on the chargers themselves.

Hope this mild opinion piece helps calm some nerves!
Tesla Model Y Long Range
CANCELLED : ID.3 Tour (long story :lol:)

ID3 Build & Delivery Info Tracker : https://tinyurl.com/id3tracker
Octopus Referral : https://share.octopus.energy/aqua-foal-203
User avatar
Daveion
Posts: 881
Joined: Thu Jan 21, 2021 9:24 am
Location: South Essex RM15

Post by Daveion »

Utumno wrote: Sat Jul 31, 2021 3:50 pm And here's the Pen Test Partners report link I dug up :

https://www.pentestpartners.com/securit ... r-hackers/

Am reading in depth. While I'm no crypto coder, I commission and risk manage penetration tests all day long in my work.

[UPDATE]

* Facepalms all round for both Project EV and Wallbox, those API security issues are "clown shoes" moments. The Wallbox hardware issues look like the researchers don't consider the Pi secure enough for this kind of application due to its open/hobbyist nature, and that's a subjective view - they're not wrong, but equally whether a Pi is a bad thing or not in a charger depends very much on your point of view, your individual use case and your installation use case. While it would indeed be possible to extract the PSK from a Pi, a bad actor would need physical access to the charger and be able to access the board itself. In general if you have physical access to any hardware you can kiss goodbye to security on that device without considerable engineering resource - this is why law enforcement hates iPhones; they're designed to be secure even when in the hands of a bad actor.
* EVBox again earn themselves a privilege escalation facepalm, but again this is what white hat hackers do, and they were responsive.
There has clearly been a distinct lack of security assurance in the smart EV charger space
No shit.

I'm in full agreement there, though of the vendors looked at by PTP, EO and Hypervolt are the clear winners here despite EO leaving a port open giving local network users full access to the charger OS. Yes the Pi is a larger potential security vector than leveraging a commercial and "silicon" hardware-secured IoT platform, but it's not as simple as saying those chargers are insecure because of it. They've both clearly got secure enough infrastructure that PTP weren't concerned about network issues, only about physical security issues on the chargers themselves.

Hope this mild opinion piece helps calm some nerves!
Most of this is double Dutch to me 😆
The BBC item said hackers could access your home network activity, bank logins, accounts, passwords etc.
They also said the Wallbox unit contains a board that dates from 2015, Marshmellow or something, that sounded like an old Android coms board. Old technology doesn't sound good!
So in layman terms . Is any this sufficient grounds to look for an alternative or are the risks overstated?
1st EV Life Pro Performance sold 2022
Born v2-Tech L Pack
White, 19" Typhoon Wheels.
Collected June 22
Scratch
Posts: 1166
Joined: Thu Jul 15, 2021 3:22 pm

Post by Scratch »

I think to access your home network they would need the password. Make sure you choose your own password and don’t use the one supplied by your internet provider.
User avatar
Utumno
Posts: 1727
Joined: Sun Jul 04, 2021 12:34 am
Location: Oxfordshire

Post by Utumno »

Daveion wrote: Sat Jul 31, 2021 5:16 pm
Utumno wrote: Sat Jul 31, 2021 3:50 pm And here's the Pen Test Partners report link I dug up :

https://www.pentestpartners.com/securit ... r-hackers/

Am reading in depth. While I'm no crypto coder, I commission and risk manage penetration tests all day long in my work.

[UPDATE]

* Facepalms all round for both Project EV and Wallbox, those API security issues are "clown shoes" moments. The Wallbox hardware issues look like the researchers don't consider the Pi secure enough for this kind of application due to its open/hobbyist nature, and that's a subjective view - they're not wrong, but equally whether a Pi is a bad thing or not in a charger depends very much on your point of view, your individual use case and your installation use case. While it would indeed be possible to extract the PSK from a Pi, a bad actor would need physical access to the charger and be able to access the board itself. In general if you have physical access to any hardware you can kiss goodbye to security on that device without considerable engineering resource - this is why law enforcement hates iPhones; they're designed to be secure even when in the hands of a bad actor.
* EVBox again earn themselves a privilege escalation facepalm, but again this is what white hat hackers do, and they were responsive.
There has clearly been a distinct lack of security assurance in the smart EV charger space
No shit.

I'm in full agreement there, though of the vendors looked at by PTP, EO and Hypervolt are the clear winners here despite EO leaving a port open giving local network users full access to the charger OS. Yes the Pi is a larger potential security vector than leveraging a commercial and "silicon" hardware-secured IoT platform, but it's not as simple as saying those chargers are insecure because of it. They've both clearly got secure enough infrastructure that PTP weren't concerned about network issues, only about physical security issues on the chargers themselves.

Hope this mild opinion piece helps calm some nerves!
Most of this is double Dutch to me 😆
The BBC item said hackers could access your home network activity, bank logins, accounts, passwords etc.
They also said the Wallbox unit contains a board that dates from 2015, Marshmellow or something, that sounded like an old Android coms board. Old technology doesn't sound good!
So in layman terms . Is any this sufficient grounds to look for an alternative or are the risks overstated?

The largest risk was with the Project EV box, until they fixed the issues. Everything else is largely BBC hyperbole and overstatement.

Specifically for the Wallbox hardware issue, a hacker would need to have physical access to your Wallbox - which means they would need to be on your driveway or in your garage. Then they would need to open the Wallbox enclosure and plug directly into the electronics inside your Wallbox. Then they would need to extract your WiFi password.

There does not seem to be any greater risk of hacking with the Wallbox than there is with the EO Mini Pro 2 or the Hypervolt, and that hacking would need to be physically present on your driveway.

This is an extremely unlikely state of affairs and so as long as you’re on the most recent EV charger firmware you’re as safe as you can be.

In my case this has cemented my choice of the Hypervolt, but it equally wouldn’t prevent me personally installing a Wallbox if it’s features suited me better. Existing users need to make sure they’re on the latest firmware.

Hopefully that was a bit less double Dutch 😀
Tesla Model Y Long Range
CANCELLED : ID.3 Tour (long story :lol:)

ID3 Build & Delivery Info Tracker : https://tinyurl.com/id3tracker
Octopus Referral : https://share.octopus.energy/aqua-foal-203
User avatar
Daveion
Posts: 881
Joined: Thu Jan 21, 2021 9:24 am
Location: South Essex RM15

Post by Daveion »

Thanks Utumno
That is now clear.
Many thanks
1st EV Life Pro Performance sold 2022
Born v2-Tech L Pack
White, 19" Typhoon Wheels.
Collected June 22
Post Reply