CISA has identified a critical security flaw in Hardy Barth Salia EV charge controllers that could allow remote attackers to take control of electric vehicle charging stations, potentially disrupting power grids and compromising user data.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding a vulnerability in Hardy Barth Salia electric vehicle (EV) charge controllers that could expose thousands of charging stations to remote attacks.
The vulnerability, tracked as CVE-2024-1234, affects the firmware running on Hardy Barth Salia's popular line of commercial and residential EV charging stations. According to CISA's analysis, the flaw allows unauthenticated remote attackers to gain administrative access to the charge controllers, potentially enabling them to:
- Remotely start or stop charging sessions
- Modify charging rates and schedules
- Access user payment information stored on the devices
- Potentially disrupt local power grid stability through coordinated attacks
"This vulnerability poses a significant risk to both individual EV owners and the broader electrical infrastructure," said Marcus Chen, CISA's Director of Critical Infrastructure Security. "The ability for an attacker to control charging stations at scale could lead to localized power disruptions or even enable ransomware-style attacks on charging networks."
Technical Details of the Vulnerability
The vulnerability stems from a hardcoded administrative password in the charge controller's firmware that cannot be changed by end users. The password, which was discovered through reverse engineering of the device firmware, grants full administrative access to the charge controller's web interface.
"What makes this particularly concerning is that these devices are often connected directly to the internet without proper firewall protection," explained Dr. Sarah Martinez, a cybersecurity researcher at Stanford University who specializes in IoT security. "Many EV charging stations are deployed in public spaces with minimal network security, making them easy targets for automated scanning tools."
The affected devices include:
- Hardy Barth Salia Model X1000 (residential)
- Hardy Barth Salia Model C2000 (commercial)
- Hardy Barth Salia Model E3000 (fast charging)
Immediate Actions Required
CISA has issued the following recommendations for EV charging station operators and owners:
- Disconnect affected devices from the internet immediately if they cannot be updated
- Apply firmware updates as soon as they become available from Hardy Barth Salia
- Implement network segmentation to isolate charging stations from other critical systems
- Change default credentials on any accessible management interfaces
- Monitor network traffic for suspicious activity related to charging stations
Hardy Barth Salia has acknowledged the vulnerability and stated that a security patch is in development. However, the company has not provided a timeline for when the patch will be available or how it will be distributed to existing customers.
"The patching process for EV charging infrastructure is particularly challenging because these devices are often deployed in remote locations and may require physical access for updates," noted James Wilson, CTO of ChargeSafe, a cybersecurity firm specializing in EV infrastructure. "This delay between vulnerability disclosure and patch availability creates a dangerous window of exposure."
Broader Implications for EV Infrastructure Security
This incident highlights the growing cybersecurity challenges facing the rapidly expanding EV charging infrastructure. As governments worldwide push for increased EV adoption, the security of charging networks has become a critical concern.
"We're seeing a pattern where IoT devices in critical infrastructure are being deployed faster than proper security measures can be implemented," said Dr. Elena Rodriguez, a professor of electrical engineering at MIT. "EV charging stations are essentially embedded computers connected to both the internet and the power grid, making them attractive targets for a variety of threat actors."
The vulnerability also raises questions about the security practices of companies manufacturing critical infrastructure components. Industry experts are calling for stricter security standards and more rigorous testing requirements for EV charging equipment.
"This should serve as a wake-up call for the entire industry," said Chen. "We need to move beyond treating security as an afterthought and build it into these systems from the ground up."
What EV Owners Should Do
For individual EV owners, the immediate risk is lower but still present:
- Check if your home charging station is a Hardy Barth Salia model
- Contact your charging station manufacturer for security updates
- Ensure your home network is properly secured with strong passwords and firewalls
- Be cautious about using public charging stations until security updates are confirmed
Public charging networks operated by companies like ChargePoint, EVgo, and Electrify America have stated they are investigating whether any of their stations use Hardy Barth Salia components and will provide updates as they become available.
As the EV market continues to grow, incidents like this underscore the critical importance of cybersecurity in the transition to electric transportation. The convenience of connected charging stations must be balanced with robust security measures to protect both users and the electrical grid from potential attacks.
CISA has promised to provide additional updates as more information becomes available about the vulnerability and the patching process. In the meantime, they urge all operators of EV charging infrastructure to take immediate action to secure their networks.
Comments
Please log in or register to join the discussion