Why is Autocharge not popular? | Security issues of EV charging authorization mechanism
Autocharge - a mechanism to authorize electrical vehicle for charging based on a vehicle identifier brings an excellent user experience - pretty much same as ISO 15118. For an EV driver it would be as simple as plugging in his/her car to charger and let charger to do authorization automatically to allow (or not) for charging to start. [Read this article to know the working principles of Autocharge]
But why is it not that popular? Why was it not adopted by many CPO & EMSPs? Following are the reasons: Using a MAC Address or the Vehicle Identification Number (VIN) as a secure means of "authorization" of charging sessions really has several hard limitations and humongous risks:
Publicly Accessible: VINs are typically visible on the dashboard or door frame of a vehicle. Since they are not concealed, they can easily be copied by anyone, just like the latest Elon tweet! MAC Addresses can easily be captured by the emissions of the ISO 15118 PowerLAN communication, just like recording your favorite radio song via this vintage radio within your car.
Non-Secrecy: VINs are not secret. They are often recorded in various databases and documents like insurance papers, service records, and government records. This widespread availability makes them unsuitable for secure authentication.
Non-Uniqueness: While VINs are at least unique for every car, there is no guarantee for unique MAC addresses. There are not even enough MAC addresses worldwide just to give every customer a unique MAC address.
Potential for Replay Attacks: Since a MAC addresses and VIN are static, they can be susceptible to replay attacks. An attacker could potentially capture the MAC addresses or VIN and use it to gain unauthorized access.
Immutability: MAC addresses and VINs are permanent and cannot be changed. If a MAC address-/VIN-based authentication system is compromised, you cannot simply issue a new MAC address/VIN to the vehicle for security purposes. So... just buy a new car.
Lack of Complexity: MAC addresses and VINs follow a standardized compact format and are not designed with cryptographic security, more the exact opposite, in mind. They lack the complexity and randomness needed for secure authentication methods.
No User Authentication: MAC addresses and VINs are associated with a vehicle, not a user. They do not provide user-level security or authentication, which is crucial for operations that require verification of the EV driver's identity. Just like when you drove too fast, but the police just knows which car drove too fast.
Publicly Accessible: VINs are typically visible on the dashboard or door frame of a vehicle. Since they are not concealed, they can easily be copied by anyone, just like the latest Elon tweet! MAC Addresses can easily be captured by the emissions of the ISO 15118 PowerLAN communication, just like recording your favorite radio song via this vintage radio within your car.
Non-Secrecy: VINs are not secret. They are often recorded in various databases and documents like insurance papers, service records, and government records. This widespread availability makes them unsuitable for secure authentication.
Non-Uniqueness: While VINs are at least unique for every car, there is no guarantee for unique MAC addresses. There are not even enough MAC addresses worldwide just to give every customer a unique MAC address.
Potential for Replay Attacks: Since a MAC addresses and VIN are static, they can be susceptible to replay attacks. An attacker could potentially capture the MAC addresses or VIN and use it to gain unauthorized access.
Immutability: MAC addresses and VINs are permanent and cannot be changed. If a MAC address-/VIN-based authentication system is compromised, you cannot simply issue a new MAC address/VIN to the vehicle for security purposes. So... just buy a new car.
Lack of Complexity: MAC addresses and VINs follow a standardized compact format and are not designed with cryptographic security, more the exact opposite, in mind. They lack the complexity and randomness needed for secure authentication methods.
No User Authentication: MAC addresses and VINs are associated with a vehicle, not a user. They do not provide user-level security or authentication, which is crucial for operations that require verification of the EV driver's identity. Just like when you drove too fast, but the police just knows which car drove too fast.
Post a Comment