Insecure Password allowed Administrative Access to Electric Vehicle Chargers

Hypercharger is a popular brand of electric vehicle chargers produced by the Italian company Alpitronic. A group of people who describe themselves as electric vehicle enthusiasts and who all work in the IT industry recently contacted me and informed me about a security problem with electric vehicle chargers of the brand Hypercharger.

Annika Wickert, Stefan Klöpping, and Jan Gilla noticed that the instruction manual of the Hyperchargers mentions a web interface that can be accessed with the username "admin" and the password "admin123". Users are advised to change the password, but as one might expect, this does not always happen.

Via a search engine for Internet-connected devices called Shodan, they were able to find multiple such chargers connected to the Internet. For many of them, logging in with the username and password from the instruction manual was possible. (In my own tests, around a third of the devices had not changed the default password.)

A third of the devices were accessible with a password from the manual

The interface allowed changing many settings of the chargers, including options related to the power supply and payment. In some cases, payment data was accessible. (Alpitronic pointed out that the data did not contain personal data and only the last four digits of credit cards.)

After I contacted Alpitronic and asked them to comment on these findings, they informed affected customers and prevented access to the devices. Within a day, most devices were no longer accessible from the Internet.

"In the future, individual passwords will be assigned to each charging station at the factory," said Alpitronic spokesperson Daniela Halbwidl. Furthermore, Alpitronic plans to implement changes so the configuration interface will no longer be accessible from the public Internet by default.

What is notable is that this is an issue that is relatively basic and easy to understand. (While investigating this issue, I learned about a second problem with the Hypercharger devices related to encrypted connections and website certificates, but it requires more technical background to understand.)

Californian law forbids default passwords

Similar security problems with publicly known default passwords are so common that they have been on the radar of regulators and lawmakers. The US Federal Trade Commission (FTC) has put forward charges against vendors of such devices multiple times.

In California, Senate Bill 327 has required vendors of Internet-connected devices to prevent such issues since 2020. It is explicit that either each device comes with a unique password or users are required to change the password. Oregon implemented similar regulation (HB 2395).

Alpitronic handled this issue quickly and professionally. However, similar security issues will likely plague digital infrastructure in the future. Decarbonization often means electrification, and that often comes with digitalization. Therefore, these are issues to keep on the radar for the cleantech industry.

Author: Hanno Böck

Brief

• In Namibia, construction of a hydrogen-based steel plant has started. The initial production capacity will be 15.000 tons per year. Plans are to ramp up capacity to industrial scales later.

• Future Cleantech Architects published a factsheet on decarbonizing aviation.

• Heaten and Südzucker announced a collaboration for an industrial heat pump with temperatures up to 200 °C. It will provide steam for sugar production processes.

• Inside Climate News reports that emissions of HFC-23 have been detected in East Asia. HFC-23 is a highly potent greenhouse gas - its warming effect is around 14.000 times that of carbon dioxide. HFC-23 is regulated by the Kigali Amendment to the Montreal Protocol, and its use should be phased out already.

• BASF received government funding for a 54-megawatt electrolyzer at its Ludwigshafen site.

• Shipping company Maersk and Chinese wind energy company Goldwind have signed a green methanol offtake agreement.