Pwn2Own Automotive showed one ‘simple’ target: EV chargers

January’s Pwn2Own Automotive event, hosted in Tokyo, Japan, invited security researchers to tinker with—and try to remotely take over—Teslas, along with other in-vehicle components on the bug-bounty contest list.

One vehicle-product category at the inaugural competition seemed too easy for contestants to hack, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, which hosts the contest:

“The EV chargers were pretty simple [to compromise]. [The researchers] didn’t spend a lot of time working on those compared to some of the other targets they’ve worked on in the past,” Childs said.

Particularly alarming to security pros who spoke to IT Brew: the compromises demonstrated a lack of basic security protections, like authentication and pre-design scans for known vulnerabilities.

“It was very clear from the start that security played no role in designing these products. They were not designed to withstand even the most common types of attacks,” Daan Keuper, head of security research at Computest, told IT Brew.

Not-so super chargers. Keuper’s team achieved successful exploits against the Autel MaxiCharger AC Wallbox Commercial, JuiceBox 40 Smart EV Charging Station, and ChargePoint Home Flex, essentially gaining remote takeover of the devices.

According to Pwn2Own rules, a successful “pwn” or compromise means an entrant leverages “a vulnerability to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions.”

“It really was an industry-wide problem. Every one of the chargers in the contest got exploited at least once,” Childs said.

Too easy. One of the hacked EV chargers lacked authentication on its password-reset function, according to Childs.

Results from the Pwn2Own scoreboard showed two “stack-based buffer overflow” exploits of the JuiceBox 40 and Autel MaxiCharger.

“Stack-based buffer overflows were first exploited by the Morris worm in the 1980s. They’re the most classic type. They’re also the one where there’s been the most research on defending against it,” David Brumley, professor at Carnegie Mellon University and CEO of the security company ForAllSecure, told IT Brew.

“If you’re going into Pwn2Own and people are finding two, three, four, or five known exploits…a piece of the [development] process is missing,” Brumley said.

What’s the risk? According to the National Renewable Energy Lab, EV charging ports increased from about 87,000 in Q4 of 2019 to 181,026 in Q3 of 2023.

“If you hack multiple [chargers], then you can do real damage to the power grids by flipping EV chargers on and off. If you do that at large scale, the power grid is not equipped to handle that situation,” Keuper said.

IT Brew contacted charger vendors Emporia Energy, Autel, JuiceBox, Ubiquiti, and ChargePoint and received responses from ChargePoint and Emporia. (At Pwn2Own, successful entrants share vulnerabilities and exploit techniques with affected vendors.)

ChargePoint, a day before the contest, announced firmware updates to secure a tunnel “intended to allow ChargePoint to access each charger for telemetry and diagnostics.”

Many automotive manufacturers, however, have steered away from the security conversation—a sign, to Brumley, of an insular industry.

“If you look at Pwn2Own, you’ll notice that there’s essentially a Tesla there, and a few charging stations. You’re not seeing major car vendors there. And it’s not that they’re not vulnerable; it’s that they don’t want to participate,” Brumley said, adding that the lack of basic security goes beyond EV chargers and to the entire automotive industry.

“The reason EVs charging stations have been a special target here is it was just the latest thing added.”