Electric car charge station payment systems may lack basic security measures
Just a PSA: If you charge your car regularly at a public charge station, you might want to keep an eye out for fraudulent charges on whatever card you use to pay for it. Researchers have found that some charge stations, specifically those that require a dedicated card, “have not implemented basic security mechanisms” like encryption.
Mathias Dalheimer, a security researcher who works at Fraunhofer, first presented his findings at the Chaos Computer Club conference. He first contacted the companies in question (which are not named), some of which apparently have refused to fix the issue — so he has presented it publicly, and now it’s even on the German R&D firm’s official page.
The charge systems in question give you a card with a user ID number on it, which is connected in their backend to an actual debit card on file at the company. That wouldn’t be a problem if this ID number wasn’t transmitted, unencrypted, every time you use a charge station.
Intercepting these numbers would be trivial for a hacker, and there appears to be no mechanism for preventing duplicates of that card from being made and used, or for transactions to be otherwise spoofed. Dalheimer compared it to a store accepting a photocopy of a debit card rather than the real thing.
There’s no guarantee that the charge station you use is compromised, but there’s also no way to know for sure that it isn’t; you may be able to ask the company in question if they’re affected and if they are taking measures to protect users. Until better standards are set, you might want to keep an eye out for unauthorized charges — or even unauthorized charges.