Security vulnerabilities in 'rentable' Internet of Things (IoT) infrastructure could allow attackers to remotely disable entire networks of public electric vehicle (EV) chargers. This risk was demonstrated by researcher Hetian Shi during a presentation at the Black Hat Asia conference.
Shi, a hardware and IoT security researcher at China’s Tsinghua University, presented his findings on Friday. He argued that developers of shared services, such as e-bikes and EV chargers, are prioritizing user convenience over essential security protocols.
Shi noted that the nature of rentable IoT services creates a unique security risk. Because any user can access and examine the physical devices, attackers can easily study them for vulnerabilities.
His investigation uncovered that many devices include accessible debugging ports or UART connectors. These hardware features make it easy for attackers to study device operations and extract information.
Shi found shared authentication keys embedded in device firmware. Additionally, he identified backend services that fail to properly verify user identities during the connection process.
Beyond hardware flaws, Shi identified critical weaknesses in the mobile applications used to access these services. He demonstrated that attackers could create 'phantom clients' that backend systems cannot distinguish from legitimate customers.
This flaw enables attackers to charge electric vehicles or rent e-scooters at zero cost. Shi also noted that these vulnerabilities extend to backend services, which could potentially expose the personal information of service users.
To prove the vulnerability, Shi used a custom tool called 'IDScope' during his presentation. He targeted specific chargers in Shanghai's People’s Square using the iOS app of a Chinese EV charging provider.
By entering a specific charger ID into a script, Shi successfully triggered a remote command. This command changed the charger's status in the app from green (available) to grey (disabled).
While Shi conducted his probes with permission and disclosed the results ethically, the findings suggest the vulnerabilities found in Chinese infrastructure are likely applicable elsewhere. The demonstration of the remote disabling command drew spontaneous applause from the conference audience.
