Recent and Upcoming Security Trends in Cloud Low-Level Hardware Devices: A survey
By
Sean Rivera
The rapid evolution of cloud infrastructures has introduced complex security challenges, particularly concerning all of the processing devices and peripheral components that underpin modern data centers.
Recognizing the critical need for robust and consistent cloud security standards, technology firms, developers, and cybersecurity experts established the Open Compute Project Security Appraisal Framework and Enablement (OCP S.A.F.E.) Program.
At the 2024 OCP Regional Summit in Lisbon, I was joined by my colleague Alfredo Pironti, Director of Services at IOActive, to present a deep dive into the security of cloud infrastructures, the threats facing the crucial hardware that supports them, and how organizations can prevent being compromised by adopting new threat modeling techniques and security frameworks.
IOActive has monitored the state and health of hardware security for decades. We are now observing the changes in cybercriminal tactics, threats, and vulnerabilities that could compromise key components in digital supply chains and services.
When attackers target the hardware level, they can potentially exploit the entire stack. Once granted access to the hardware foundation, cybercriminals could potentially compromise physical infrastructure, data storage, applications, developer environments, code bases, and entire systems.
If vulnerable hardware is utilized in cloud services, this could even pose threats to national security as so many CSPs are now the backbone of critical infrastructure.
Hardware and computational components have evolved to meet the needs of increasingly complex cloud infrastructures and services. However, each new, enhanced capability may also create a new avenue for attack.
Take NVMe-based SSD disks and SR-IOV-enabled cards, for example. As we discussed during our presentation, historically, board problems, design flaws, or some implementation errors posed the most risk. Now, logical access bugs, data theft, arbitrary and remote code execution vulnerabilities, side-channel attacks, denial-of-service, and supply chain attacks must also be addressed.
IOActive has uncovered a wide range of risks to today’s cloud infrastructure through hands-on experience. Many hardware-based vulnerabilities stem from incorrect implementation, such as integer flaws, out-of-bounds memory issues, and race conditions.
During testing, we observed various security problems caused by component design and operational processes. A critical insight gleaned from our research is that 25% of vulnerabilities found were introduced in the design stage, showing a need for testing services early in the process.
In our presentation, we proposed an archetypal threat model that addresses the disconnect between developers, hardware manufacturers, and service providers regarding security. A core component of our model explores the divergence between the threats that cloud service providers face, and those faced by cloud hardware providers.
As addressed by the OCP S.A.F.E. framework, achieving robust security standards throughout the entire digital supply chain can assist hardware suppliers and service providers alike in tackling today’s cybersecurity challenges.
You can find a recording of our presentation here to share our knowledge and insights on cloud security and how frameworks, including OCP S.A.F.E., benefit organizations today.
– IOActive Senior Security Consultant and Researcher, Sean Rivera
World-wide trends of transition and adoption of EVs is due to climate control and carbon pollution-free electricity sector goals and policies that are being mandated over the coming years around the world, such as:
In the USA, Executive Order 14057[1] restricts all government agencies’ new acquisitions of light-duty vehicles to only EVs by 2027 and mid- and heavy-duty vehicle acquisitions to only EVs by 2035.
In California, Executive Order N-79-20[2], ends sales of ICE passenger vehicles and trucks by 2035[3].
The EU and UK have banned sales[4] of new combustion engine cars from 2035.
The Battery Electric Vehicle (BEV) and charging infrastructure landscape is rapidly evolving technologically and operationally in a market where cost and time-to-market are prioritized higher than security[5]. Technologies used to build the BEV ecosystem suffer from well-known cybersecurity issues, which expose vulnerabilities and risk. Current charging stations are operated as build-and-forget devices that are highly exposed and network connected, with cyber and physical vulnerabilities which pose a great challenge to the ecosystem, including bulk electric and distribution system stability, with limited current threat mitigation.
Securing such an advanced, fully connected, and heterogeneous supply grid will take a similar effort to the Information and Communication Technology (ICT) sectors that secure webservers and cloud infrastructure, and this would also include mitigations around the cyberphysical vulnerabilities unique to the BEV ecosystem.
HPC standards for the Megawatt Charging System (MCS) are being developed by the CharIN (Charging Interface Initiative eV.) international standards organization[6].
Modern electrified transportation vehicles will require a HPC infrastructure. Cybersecurity vulnerabilities in HPC systems operating at very high levels of power pose a serious cyberphysical threat to the new electric vehicles and supporting infrastructure, but also to the electrical grid (bulk and distribution) that supplies power to the HPC systems. These cyberphysical vulnerabilitieswill require focused, skillful mitigation.
The potential consequences of a successful skillful attack on a BEV or ESVE system could produce remote code execution on BEVs or EVSEs, physically damaged vehicles or chargers, local or regional power outages, and larger coupling effects across countries from induced cascading failures.
In-vehicle technology is a top selling point for today’s car buyers[7]. What was once simply a “connected vehicle” is now increasingly more feature-rich, with software systems like self-driving and driver assist, complex infotainment systems, vehicle-to-other communication and integration with external AI. More than ever, all of this exciting technology turns modern vehicles into targets for malicious cyberattacks such as ransomware. It is imperative that automotive manufacturers take additional action now to infuse cybersecurity into their vehicles and mitigate potential threats. Moreover, EVSE manufacturers and utilities need to increase efforts to manage their highly impactful risks.
IOActive’s pioneering vehicle cybersecurity research began with the ground-breaking 2015 Jeep hack[8] that evolved into our ongoing vehicle research that has included commercial trucks, EVSE, and autonomous vehicles.
For over a decade, IOActive has been publishing original research blogs and papers:
Remote Exploitation of an Unaltered Passenger Vehicle (2015): This IOActive research paper outlined the research into performing a remote attack against an unaltered 2014 Jeep Cherokee and similar vehicles. IOActive reprogrammed a gateway chip in the head unit to allow it to send arbitrary CAN messages and control physical aspects of the car such as steering and braking. This testing forced a recall of 1.4 million vehicles by FCA and mandated changes to the Sprint carrier network.https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf
Uncovering Unencrypted Car Data in Luxury Car Connected App (2020): IOActive conducted research to determine whether a luxury car used encrypted data for its connected apps. Unencrypted data was found in the app that could be used to stalk or track someone’s destination, including identification of the exact vehicle and its location. IOActive used Responsible Disclosure channels and the manufacturer implemented encryption to protect the sensitive data via key management. https://labs.ioactive.com/2020/09/uncovering-unencrypted-car-data-in-bmw.html
NFC Relay Attack on the Tesla Model Y (2022): IOActive reverse-engineered the Near Field Communications (NFC) protocol used by an EV automaker between the NFC card and vehicle. Created custom firmware modifications that allowed the device to relay NFC communications over Bluetooth/WiFi using a BlueShark module. It was possible to perform the attack via Bluetooth from several meters away (as well as via WiFi from much greater distances) https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf
EVSE Cybersecurity Incidents Are Increasing
The growing popularity of Electric Vehicles (EVs) attracts not only gas-conscious consumers but also cybercriminals interested in using EV charging stations to conduct large-scale cyberattacks for monetization purposes, espionage attacks, politically motivated attacks, theft of private/sensitive data (e.g., drivers’ data), falsifying EV ranges, and more. EVSEs, whether in a private garage or on a public parking lot, are connected IoT devices, running software that interacts with payment systems, maintenance systems, OEM back-end systems, telecommunications, and the smart grid. Therefore, charging stations pose significant cybersecurity risks.
Early incidents of cyberattacks on charging stations include the following:
In July 2021, 13 EVSE vulnerabilities affecting an EV charging controller firmware manufactured by a major EVSE vendor were discovered, including three critical vulnerabilities, eight high-severity and two medium-severity. https://portswigger.net/daily-swig/schneider-electric-fixes-critical-vulnerabilities-in-evlink-electric-vehicle-charging-stations. These security flaws could enable attackers to exploit EVSEs remotely, escalate privileges, perform remote code execution, and even gain a full takeover of the EV charging device. Three CVEs were assigned a CVSS score of 9.4. Following the incident, the EVSE vendor recommended using operational network-capable devices in a closed and protected network with a suitable firewall.
In January 2023, a security researcher from Kilowatts was able to expose potential vulnerabilities and security issues in a major EVSE vendor by using a program known as TeamViewer to gain full access to the charger’s internal computer, which was reportedly wide open. The researcher was able to navigate with a mouse, type on a keyboard, collect personal information through the touchscreen and enter various programs with ease, all of which concerned the EV owner and social media influencer significantly. https://www.teslarati.com/electrify-america-chargers-hacking-vulnerability-bug https://insideevs.com/news/642914/electrify-america-charging-station-bugs-easy-hacking/
In July 2021, a cybersecurity research firm spent 18 months analyzing seven popular EV charger models, finding that five had critical flaws. For instance, a software bug in an EVSE network could be exploited by hackers to obtain sensitive user information. Also, an EVSE sold in the UK by Project EV allowed researchers to overwrite its firmware. https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/
EVSE cybersecurity incidents are on the increase. Links to information on several other cybersecurity hacks, as well as further reading regarding EVSE cybersecurity, are listed at the end of this blog post.
EVSE cybersecurity risk and threat scenarios include a wide variety of potential issues:
EVSE malware attacks threatening the integrity the electric grid/transportation network, leading to widespread disruptions in power supply and electric grid load balancing concerns
Ransomware attacks
Leakage/manipulation of sensitive data (e.g., PII, credentials, and payment card data)
Physical attacks to disable EVSEs, steal power, or and infect EVSEs with malware via accessible USB ports
Authentication RFID, NFC, or credit card chip attacks that could deny EVSE charging sessions or perform false billing
EVSE or grid Denial of Service attacks, impacting drivers’ ability to recharge during a hurricane or wildfire evacuation
Firmware/software update attacks, causing access disruption to the necessary cloud services for payment processing
Bypassing bootloader protections, which can allow attackers with physical access to gain root access into EVSEs to launch attacks on the backend infrastructure while appearing as a trusted device
An EVSE attack through the charging cable could compromise an EV, causing fire or other damage
IOActive’s Electric Vehicle Charging Infrastructure Vulnerability Findings
Over the past five years, IOActive has conducted several EVSE cybersecurity penetration testing engagements for automotive and commercial truck OEMs/suppliers and EVSE vendors. Examples of IOActive’s electrification penetration testing include assessments of Level 2 EVSEs, DC Fast Chargers (DCFCs), Open Charge Point Protocol (OCPP)/cloud services, front-end/back-end web applications, onsite network configuration reviews, and EV vans.
For the past year, IOActive has led an international EVSE standards working group which has developed a public EVSE Threat Model White Paper that identifies EVSE risks, vulnerabilities, and design flaws. The paper also includes threat scenarios ranked based on magnitude, duration, recovery effort, safety costs, effect and confidence/reputation damage. This White Paper can be shared with industry members upon request.
IOActive Welcomes Future EVSE Cybersecurity Discussions with Industry
We would like to continue to support the key industries impacted by the transition to electrified vehicles. Much of the most detailed work that we have done cannot be shared publicly. We welcome those with a need to know about the risks of and mitigations for BEVs and EVSEs to engage with us for a briefing on example extant vulnerabilities, technical threat models, threat actors, consequences of operationalized attacks, and other threat intelligence topics, as well as potential mitigations and best practices.
If you are interested in hosting IOActive for a briefing, and/or would like copies of the aforementioned presentations or white paper please contact us.
Government Fleet and Public Sector Electric Vehicle Supply Equipment (EVSE) Cybersecurity Best Practices and Procurement Language Report: https://rosap.ntl.bts.gov/view/dot/43606
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
