From kettles to cars: how hackers are charging into electric vehicles

Washing machines that message us when their cycle’s finished. Doorbells that tell us who’s on our front step. Even kettles now have the capacity to boil themselves.

These smart devices are connected in a web that’s called the Internet of Things (IoT). This connectivity has made modern life astoundingly convenient, but it’s a bit of a double-edged sword. That’s because the IoT can be hacked by opportunists for their own gain, making our life incredibly inconvenient.

Fortunately, there are people like Ken Munro in the world. Ethical cyber hacker and founder of IT security firm Pen Test Partners, Ken has made it his mission to unveil the security flaws that allow cybercriminals to hack into vehicles and homes in rather ingenious ways.

We sat down with Ken to pick his brains and get insider knowledge on how you can protect your devices – and yourself.

GPS: a roadmap for the criminal

Thanks to our smartphones, gone are the days when, faced with a sea of vehicles, you realise you forgot where you parked.

But what if your phone’s GPS was more than your roadmap to your car, but a hacker’s roadmap to it, too?

“The technology that goes into the GPS location of your car is really quite involved,” shares Ken. “One of the first ever bugs we found was in a mobile app that allowed us not only to geolocate your car without needing your app or passwords, but to unlock it as well. Before we fixed the bug, that means that a cybercriminal could find a list of cars and then go and unlock all of them, if they wanted to.”

“It sounds like something out of James Bond.”

In Ken’s world, they’re seeing the biggest growth in cybercrime in an area called ‘productised’ attacks.

"Basically, there are groups in Eastern Europe and the Far East who will try and hack into your vehicle’s control units," Ken shares. “And they’re incredibly clever about looking for really weird and unusual ways to achieve their target. But it doesn’t stop there, because once they’ve done that, they’ll then productise their hacks, aka sell them to the crime industry, so others know how to do the same.”

Can you give us an example? “Yeah, so there was recently a hardware attack that was built into a portable JBL speaker. All the criminal had to do was connect a USB cable to their speaker, remove a headlight on the targeted car, clip in a couple of cables, press a button on the JBL speaker, and that’s it – the car would unlock. It sounds like something out of James Bond, doesn’t it?”

Weaponising the power grid

While productised attacks are on the rise, Ken’s biggest cyber hack surprise came in the form of electric vehicle (EV) charging.

“I was an early adopter of EVs, and one of the first security flaws I noticed related to the mobile apps that control charge points. We discovered that, without needing my username or password, someone could compromise my smart car charger. And there were eight or nine companies that had this issue.”

Ken quickly realised that the ramifications of this hack – in the wrong hands – could be huge. “It’s not just about my charger,” says Ken. “It’s about everyone’s charger. Nefarious individuals could effectively control someone else’s charger, which means they have control of the power grid, with the potential to cause blackouts. That’s effectively a weapon that could be used by nation states to take down our power grid.”

“All that from a kettle!”

It seems that the perniciousness of cybercriminals’ attacks doesn’t necessarily lie in their sophistication, but their ingenuity.

So, what can we do to protect ourselves? Fortunately, according to Ken, the answer isn’t rocket science.

“This is going to sound really boring,” Ken says, “but the simplest thing you can do is sort out your password hygiene via a password manager. There are free apps on Apple and Android, and they’ll generate strong, complicated and unique passwords. You never want to use the same password in more than one place, because if a website that’s not very secure gets breached, and you have the same password throughout, your accounts on other websites are in trouble.”

As well as strengthening and diversifying your passwords, Ken recommends staying on top of device updates. “I always recommend applying automatic updates because those updates fix existing security flaws – not just on your phone but on your computer, your iMac, your car, etcetera.”

Anything else, Ken? “My last piece of advice is this: question if you really need that smart device. Case in point, a few years ago my team and I reverse engineered a smart kettle – that means taking apart all the chips and components to see how they work – and discovered some pretty major flaws. We found out that you could drive past people’s homes, connect to their kettle, enter the highly generic pin of six zeros, and then it would give us your Wi-Fi key. We could then see what you were up to on the network. All that from a kettle!”

To listen to this episode, you can find us on Apple Podcasts, Spotify and Amazon Music simply search for Fuel for Thought with Footman James on the app.

Alternatively, you can listen via desktop here: https://brnw.ch/21wU2tg.