Investigating the Security of EV Charging Mobile Applications As an Attack Surface

IF 2 Q3 COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS ACM Transactions on Cyber-Physical Systems Pub Date : 2022-11-19 DOI:10.1145/3609508
Khaled Sarieddine, M. Sayed, Sadegh Torabi, Ribal Atallah, C. Assi
{"title":"Investigating the Security of EV Charging Mobile Applications As an Attack Surface","authors":"Khaled Sarieddine, M. Sayed, Sadegh Torabi, Ribal Atallah, C. Assi","doi":"10.1145/3609508","DOIUrl":null,"url":null,"abstract":"The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience and increase system flexibility, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this paper, we study the security posture of the EV charging ecosystem against a new type of remote which exploits vulnerabilities in the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis was performed on 31 of the most widely used mobile applications including their interactions with various components such as the cloud management systems. The attack, scenarios that exploit these vulnerabilities were verified on a real-time co-simulation test bed. Our discoveries indicate the lack of user/vehicle verification and improper authorization for critical functions, which allow adversaries to remotely hijack charging sessions and launch attacks against the connected critical infrastructure. The attacks were demonstrated using the EVCS mobile applications showing the feasibility and the applicability of our attacks. Indeed, we discuss specific remote attack scenarios and their impact on EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant economical and operational implications. Finally, we propose countermeasures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2022-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Cyber-Physical Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3609508","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS","Score":null,"Total":0}
引用次数: 6

Abstract

The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience and increase system flexibility, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this paper, we study the security posture of the EV charging ecosystem against a new type of remote which exploits vulnerabilities in the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis was performed on 31 of the most widely used mobile applications including their interactions with various components such as the cloud management systems. The attack, scenarios that exploit these vulnerabilities were verified on a real-time co-simulation test bed. Our discoveries indicate the lack of user/vehicle verification and improper authorization for critical functions, which allow adversaries to remotely hijack charging sessions and launch attacks against the connected critical infrastructure. The attacks were demonstrated using the EVCS mobile applications showing the feasibility and the applicability of our attacks. Indeed, we discuss specific remote attack scenarios and their impact on EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant economical and operational implications. Finally, we propose countermeasures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
作为攻击面的电动汽车充电移动应用安全性研究
近年来,电动汽车的采用率在多种因素的推动下显著提高,其中最主要的是充电基础设施的灵活性和易用性的提高。为了改善用户体验和增加系统灵活性,移动应用程序已被纳入电动汽车充电生态系统。电动汽车充电移动应用程序允许消费者远程触发充电站的操作,并使用诸如开始/停止充电会话、支付使用费用和定位充电站等功能。在本文中,我们研究了针对一种新型远程攻击的电动汽车充电生态系统的安全态势,这种远程攻击利用电动汽车充电移动应用程序中的漏洞作为攻击面。我们利用静态和动态分析技术的结合来分析广泛使用的电动汽车充电移动应用程序的安全性。我们对31个最广泛使用的移动应用程序进行了分析,包括它们与各种组件(如云管理系统)的交互。利用这些漏洞的攻击场景在实时联合模拟测试台上进行了验证。我们的发现表明,关键功能缺乏用户/车辆验证和不当授权,这使得攻击者能够远程劫持充电会话并对连接的关键基础设施发起攻击。使用EVCS移动应用程序演示了这些攻击,显示了我们的攻击的可行性和适用性。实际上,我们讨论了特定的远程攻击场景及其对EV用户的影响。更重要的是,我们的分析结果证明了利用各种电动汽车充电移动应用程序的现有漏洞对连接的关键基础设施(例如电网)进行大规模协调远程充电/放电攻击的可行性,具有重大的经济和运营影响。最后,我们提出了保护基础设施并阻止对手使用受损帐户进行侦察和发起远程攻击的对策。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
ACM Transactions on Cyber-Physical Systems
ACM Transactions on Cyber-Physical Systems COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS-
CiteScore
5.70
自引率
4.30%
发文量
40
期刊最新文献
A Comprehensive Threat Modelling Analysis for Distributed Energy Resources Carving out Control Code: Automated Identification of Control Software in Autopilot Systems Cooperative Driving of Connected Autonomous Vehicles using Responsibility Sensitive Safety Rules: A Control Barrier Functions Approach A Human-Centered Power Conservation Framework based on Reverse Auction Theory and Machine Learning On Cyber-Physical Fault Resilience in Data Communication: A Case From A LoRaWAN Network Systems Design
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1