Insecure Password allowed Administrative Access to Electric Vehicle Chargers

Electric vehicle chargers of the brand Hypercharger were shipped with an insecure default password and allowed access to a configuration interface to anyone over the Internet. The vendor reacted quickly, but incidents like this show potential IT security risks of electrification infrastructure.

Hypercharger electric vehicle charger
A Hypercharger electric vehicle charging station. (Image: Hanno Böck)

Hypercharger is a popular brand of electric vehicle chargers produced by the Italian company Alpitronic. A group of people who describe themselves as electric vehicle enthusiasts and who all work in the IT industry recently contacted me and informed me about a security problem with electric vehicle chargers of the brand Hypercharger.

Annika Wickert, Stefan Klöpping, and Jan Gilla noticed that the instruction manual of the Hyperchargers mentions a web interface that can be accessed with the username "admin" and the password "admin123". Users are advised to change the password, but as one might expect, this does not always happen.

Via a search engine for Internet-connected devices called Shodan, they were able to find multiple such chargers connected to the Internet. For many of them, logging in with the username and password from the instruction manual was possible. (In my own tests, around a third of the devices had not changed the default password.)

A third of the devices were accessible with a password from the manual

The interface allowed changing many settings of the chargers, including options related to the power supply and payment. In some cases, payment data was accessible. (Alpitronic pointed out that the data did not contain personal data and only the last four digits of credit cards.)

After I contacted Alpitronic and asked them to comment on these findings, they informed affected customers and prevented access to the devices. Within a day, most devices were no longer accessible from the Internet.

"In the future, individual passwords will be assigned to each charging station at the factory," said Alpitronic spokesperson Daniela Halbwidl. Furthermore, Alpitronic plans to implement changes so the configuration interface will no longer be accessible from the public Internet by default.

What is notable is that this is an issue that is relatively basic and easy to understand. (While investigating this issue, I learned about a second problem with the Hypercharger devices related to encrypted connections and website certificates, but it requires more technical background to understand.)

Californian law forbids default passwords

Similar security problems with publicly known default passwords are so common that they have been on the radar of regulators and lawmakers. The US Federal Trade Commission (FTC) has put forward charges against vendors of such devices multiple times.

In California, Senate Bill 327 has required vendors of Internet-connected devices to prevent such issues since 2020. It is explicit that either each device comes with a unique password or users are required to change the password. Oregon implemented similar regulation (HB 2395).

Alpitronic handled this issue quickly and professionally. However, similar security issues will likely plague digital infrastructure in the future. Decarbonization often means electrification, and that often comes with digitalization. Therefore, these are issues to keep on the radar for the cleantech industry.

Author: Hanno Böck

I don't like paywalls, and I guess you don't like them either. You can read my articles for free, but researching and writing them takes time and effort.

If you enjoy reading this newsletter regularly, please consider supporting my work. You can donate to support my work via Patreon. If you work for a company or organization that may want to sponsor the newsletter or advertise in it, please get in touch.

If you do not want to support me financially, that is, of course, also fine. You can still help me tremendously by sharing this newsletter. If you found this text insightful, please forward it to others or share it on social media, in your organization's chat, or wherever you find appropriate.

Want to read more stories like this? Subscribe for free here:

Brief

You may also want to read:

Haru Oni

Hype and E-Fuels: The Haru Oni pilot plant

CoBra heat pump

Hotter Heat Pumps could help Electrify Industrial Heat

Gas stove

Gas Stoves and Gas Grids

Ljosafoss hydropower station

How Iceland sold the same Green Electricity twice

You can find this article online at https://industrydecarbonization.com/news/insecure-password-allowed-administrative-access-to-electric-vehicle-chargers.html




Subscribe to the Industry Decarbonization Newsletter: