Charging your electric car in the charging station in your neighborhood may expose your personal data, a cybersecurty researcher claims.

Mathias Dalheimer raised this issue at the thirty-fourth Chaos Communication Congress, in his talk about the vulnerabilities of the electric car infrastructure.

Charging station providers receive money in exchange for providing electrical energy. For those transactions, they need a built-in billing system. Before you can start charging your car, you need to identify yourself using your charging ID token, a special near-field-communication (NFC) card that is associated with your account.

The billing for electro mobility is normally carried out using the Open Charge Point Protocol, which regulates communications between billing management systems on one end and the electric charging point on the other end. The charging point sends a request identifying you to the billing system; billing management approves the request and lets the charging point know; and the station lets you start charging. Afterwards, the amount of electricity is calculated and sent back to the billing management system so that it can bill you at the end of the month.

Dalheimer probed different components of the system and found that all of them had some problems with security. The first is the ID tokens. They are made by third-party providers and most of them do not secure your data. They are very simple NFC cards that do not encrypt your ID or anything else they contain. The cards' problems continue. First, they're pretty easy to program, which Mathias demonstrated by copying his own card and successfully charging with the copy. It would be easy for a knowledgeable person to program a bunch of cards, hoping to hit on a working account number.

Because charging providers bill once per month, if a car owner's account is compromised in that way, they won't see that anything is amiss until the monthly bill arrives.

Most stations use the 2012 version of the OCPP protocol, which is already relatively old and is based on HTTP. Mathias demonstrated how easy it is to set up a man-in-the-middle attack by relaying the transaction.

Moreover, both stations that Mathias examined had USB ports. Plug in an empty flash drive - and logs and configuration data will be copied to the drive. From this data, it's easy to get the login and the password for the OCPP server and, for good measure, the token numbers of previous users - which, remember, is all you need to imitate them.

Even worse, if the data on the drive is modified and then the USB drive is inserted back into the charging point, the charging point will automatically update from it and consider the data on the drive its new configuration. And that opens a whole lot of new possibilities to the hackers.

To sum up, potential criminals could collect ID card numbers, imitate them and use them for transactions; rewire charging requests, basically disabling the charging point; gain root access to the station and then do whatever they like.