Electrify America bug opens hacking vulnerability concerns

roamtheworld

Well-Known Member
First Name
Brian
Joined
May 6, 2022
Threads
64
Messages
590
Reaction score
580
Location
Austin, TX
Vehicles
2022 Mach E Premium ER AWD
Country flag
https://www.teslarati.com/electrify-america-chargers-hacking-vulnerability-bug/



A bug in an Electrify America charger has allowed one person to gain nearly unlimited access, activating concerns of potential hacking vulnerabilities.

As electric vehicle chargers have become an ever more prevalent part of the infrastructure around us, worries about their security have mounted. Potentially the best example of this security risk has been spotted by the Kilowatts, who showed that they had gained access to an Electrify America charger with ease by utilizing a program called TeamViewer.

As seen in the video posted on Twitter this afternoon, the Kilowatts gained what looks to be unrestricted access to an Electrify America charger.




In a second video, it is shown that, through TeamViewer, the charger’s internal computer is essentially completely open, allowing a potential hacker to move the mouse, type, and open programs on the machine.




We reached out to Ryan of The Kilowatts, who believes the vulnerability does open the door for more sinister people to obtain personal information. “Essentially, I could spin up a spoofed EA application that collects personal information through the touchscreen,” he told us. He said he couldn’t access the credit card reader, but others, with perhaps more hacking experience, could.

This could catalyze concerns about customer privacy and security.

This is far from the first time that Electrify America has been criticized for what some claim to be a sub-par charging experience. The company has infamously faced allegations of large numbers of its chargers being inoperable, its charger software being clunky and, in this case, insecure, or even that it has not aggressively enough expanded to offer charging throughout the United States.

Electrify America was not immediately available to comment to Teslarati, nor has the company’s official Twitter account responded to the videos.

Sadly, this bug discovery comes only hours after another Electrify America charger allegedly damaged a vehicle that plugged into it. That issue was found when a Rivian R1T plugged into the charger and could not move after the charger “fried” the truck, according to the vehicle owner. And this follows a string of similar occurrences with other vehicles around the country. Worryingly, Electrify America has not yet responded to this allegation either.
Sponsored

 
Logal727

Logal727

Well-Known Member
First Name
C
Joined
Aug 23, 2021
Threads
101
Messages
7,326
Reaction score
11,273
Location
Florida
Vehicles
‘21 Carbonized Gray Mustang Mach-E Premium AWD Ext
Country flag
roamtheworld said:
https://www.teslarati.com/electrify-america-chargers-hacking-vulnerability-bug/



A bug in an Electrify America charger has allowed one person to gain nearly unlimited access, activating concerns of potential hacking vulnerabilities.

As electric vehicle chargers have become an ever more prevalent part of the infrastructure around us, worries about their security have mounted. Potentially the best example of this security risk has been spotted by the Kilowatts, who showed that they had gained access to an Electrify America charger with ease by utilizing a program called TeamViewer.

As seen in the video posted on Twitter this afternoon, the Kilowatts gained what looks to be unrestricted access to an Electrify America charger.




In a second video, it is shown that, through TeamViewer, the charger’s internal computer is essentially completely open, allowing a potential hacker to move the mouse, type, and open programs on the machine.




We reached out to Ryan of The Kilowatts, who believes the vulnerability does open the door for more sinister people to obtain personal information. “Essentially, I could spin up a spoofed EA application that collects personal information through the touchscreen,” he told us. He said he couldn’t access the credit card reader, but others, with perhaps more hacking experience, could.

This could catalyze concerns about customer privacy and security.

This is far from the first time that Electrify America has been criticized for what some claim to be a sub-par charging experience. The company has infamously faced allegations of large numbers of its chargers being inoperable, its charger software being clunky and, in this case, insecure, or even that it has not aggressively enough expanded to offer charging throughout the United States.

Electrify America was not immediately available to comment to Teslarati, nor has the company’s official Twitter account responded to the videos.

Sadly, this bug discovery comes only hours after another Electrify America charger allegedly damaged a vehicle that plugged into it. That issue was found when a Rivian R1T plugged into the charger and could not move after the charger “fried” the truck, according to the vehicle owner. And this follows a string of similar occurrences with other vehicles around the country. Worryingly, Electrify America has not yet responded to this allegation either.
Click to expand...
seems bad
 
MellowJohnny

MellowJohnny

Well-Known Member
First Name
Christian
Joined
Nov 16, 2021
Threads
69
Messages
1,290
Reaction score
2,058
Location
YYZ
Vehicles
2022 Mach-E Premium AWD
Occupation
Solution Architect
Country flag
And by extension, potentially gaining access to the car? That DCFC connection exchanges data with the car, so....not great
 
bshaw

bshaw

Well-Known Member
Joined
May 18, 2020
Threads
12
Messages
1,310
Reaction score
1,783
Location
Boston, MA
Vehicles
2021 Mustang Mach E 4X (Job 1)
Country flag
Welp. Now we know *why* rebooting an EA charger that isn't working is frequently the first troubleshooting step......
They are running embedded windows in there. smh
 
AhardFSU

AhardFSU

Well-Known Member
First Name
Antonio
Joined
Apr 10, 2022
Threads
3
Messages
514
Reaction score
485
Location
Riverview
Vehicles
2022 Mustang Mach E
Country flag
Welp. Seems about right for EA. Gotta love that the reporter tried to reach EA for a comment and they got crickets.
 


benk016

benk016

Well-Known Member
First Name
Ben
Joined
Nov 12, 2020
Threads
37
Messages
3,019
Reaction score
4,683
Location
Tulsa, Oklahoma
Vehicles
2021 Mustang Mach-E GT
Country flag
So this looks to me like someone at EA connected to the station, and didn't end their session on TeamViewer. He happened to come across the station and saw the client ID and connected that way. Since the desktop was already showing it would display the password to connect right on the screen. If you don't have the ID and password, this wouldn't normally work.

They need to lock TeamViewer down more obviously and limit what IP ranges can connect.
 
Logal727

Logal727

Well-Known Member
First Name
C
Joined
Aug 23, 2021
Threads
101
Messages
7,326
Reaction score
11,273
Location
Florida
Vehicles
‘21 Carbonized Gray Mustang Mach-E Premium AWD Ext
Country flag
benk016 said:
So this looks to me like someone at EA connected to the station, and didn't end their session on TeamViewer. He happened to come across the station and saw the client ID and connected that way. Since the desktop was already showing it would display the password to connect right on the screen. If you don't have the ID and password, this wouldn't normally work.

They need to lock TeamViewer down more obviously and limit what IP ranges can connect.
Click to expand...
Wait, you mean they aren't Elit3 haxx0rs?
 
OP
OP

roamtheworld

Well-Known Member
First Name
Brian
Joined
May 6, 2022
Threads
64
Messages
590
Reaction score
580
Location
Austin, TX
Vehicles
2022 Mach E Premium ER AWD
Country flag
Update 5:39 PM ET: Electrify America has responded to Teslarati with the following statement:

“Intentionally accessing a computer system without authorization can be a serious crime and may incur civil liability as well. We continue to investigate these events and intend to protect ourselves and our customers.”
 

kltye

Well-Known Member
Joined
May 21, 2021
Threads
17
Messages
883
Reaction score
1,394
Location
Chicago
Vehicles
IB MME Premium RWD
Country flag
bshaw said:
Welp. Now we know *why* rebooting an EA charger that isn't working is frequently the first troubleshooting step......
They are running embedded windows in there. smh
Click to expand...
Not sure if you're missing a /s at the end of your post, but Windows is the least of their problems...

Also, not sure why this is news now. I've seen the TeamViewer thing about a half dozen times when I've pulled up to various stations over the last year.
 
CompilerBreak

CompilerBreak

Well-Known Member
Joined
May 11, 2021
Threads
9
Messages
292
Reaction score
434
Location
Seattle
Vehicles
2021 MME GT
Country flag
roamtheworld said:
Update 5:39 PM ET: Electrify America has responded to Teslarati with the following statement:

“Intentionally accessing a computer system without authorization can be a serious crime and may incur civil liability as well. We continue to investigate these events and intend to protect ourselves and our customers.”
Click to expand...
If they spent half the money they do on lawyers instead on proper security most of these companies could stay out of the news in the first place...
Sponsored

 
You must log in or register to reply here.

Similar threads

Tampamike
Electrify America/Electrify Canada
Replies
8
Views
4,866
Tampamike
Tampamike
rose916
Electrify America Chargers
Replies
6
Views
1,682
Illinibird
Illinibird
Guss-E 2021
Electrify America complaints
2 3 4
Replies
59
Views
4,186
Guss-E 2021
Guss-E 2021
itsthenewdc
Ford Early Access + Electrify America: Complimentary BlueOval Electrify America Membership Invitation Email
4 5 6
Replies
77
Views
9,183
dbsb3233
dbsb3233
Illinibird
Reply from Electrify America
8 9 10
Replies
136
Views
16,012
dbsb3233
dbsb3233
 




Top