Abstract

The demand for Electric Vehicles (EVs) has been exponentially increasing, and to achieve sustainable growth, the industry dictated rapid development of the supporting infrastructure. This resulted in a subsequent increase in the number of deployed EV charging stations (EVCS) to fulfill charging demands. Moreover, while these Internet-connected EVCS are equipped with management systems (EVCSMS) to enable extended remote operations, the insecurity of their EVCSMS can open doors for various cyber attacks, threatening the availability, privacy and resiliency of EVCS users and the connected critical infrastructure. This requires building a reliable EV charging ecosystem that serves customer demands while ensuring the security of the Internet-enabled systems and the connected critical infrastructure against possible cyber attacks. Therefore, in this thesis, we propose a multi-stage framework for investigating the EVCS threat landscape by fingerprinting online EVCSMS and evaluating their (in)security from an adversary (external) point of view without having the privilege and level of access that the respective system developers have, thus providing a realistic perspective of the attack surface. The framework relies on extracting features from a small sample of EVCSMS to perform an iterative and extended discovery/fingerprinting process by leveraging existing device search engines and a sequence of classification/clustering approaches. Consequently, the security of the identified EVCSMS is assessed through in-depth vulnerability analysis. Specifically, we leverage reverse engineering and penetration testing techniques to perform a novel and comprehensive security and vulnerability analysis of the identified EVCSMS and their software/firmware implementations. Our systematic analysis unveils an array of vulnerabilities, which demonstrate the insecurity of the EVCSMS against remote cyber attacks. Considering the feasibility of such attacks, we discuss attack implications against the various stakeholders (i.e., the EVCS, users/operators, and the power grid). More importantly, we simulate the impact of practical cyber attack scenarios against the power grid, which result in possible service disruption and failure in the grid. Indeed, we leverage the framework to identify 27,439 EVCS hosts that are instrumented by 44 different EVCSMS products. Our in-depth analysis demonstrates the insecurity of EVCSMS at scale by identifying 120 vulnerabilities across the majority of the hosts (92%), representing mainly critical and/or high risk vulnerabilities (e.g., SQL injection) that lead to remote exploitation. While recommending countermeasures to mitigate future threats, our discoveries raise concerns about the lack of adequate security considerations in the design of the deployed EVCS, which will motivate vendors to take immediate action to patch their developed systems. Finally, our communication with the concerned parties resulted in positive responses from vendors such as Schneider Electric, who acknowledged our findings by reserving more than 20 CVEs, respectively. Moreover, we contribute towards the security of the EVCS ecosystem by providing our framework and knowledge to motivate vendors/developers towards evaluating and improving the security of their EVCSMS. We conclude this thesis by summarizing the main takeaways and discussing research gaps that pave the way for future work.