OWASP Global AppSec Lisbon 2024

In this talk, we delve deep into the increasingly interconnected world of electronic vehicles (EVs), photovoltaic (PV) solar systems, and the broader power grid infrastructure—a nexus that is becoming a fertile ground for potential large-scale cyber disruptions. As we navigate through this complex interplay of technology and infrastructure, we will uncover the critical vulnerabilities lurking within the API connections that bind these systems together. Our exploration will not only highlight these weaknesses but will also demonstrate, through real-world scenarios and potential attack vectors, how they can be exploited to launch sophisticated cyber-attacks, emphasizing the urgent need for robust security frameworks and proactive cybersecurity measures to safeguard our collective future.


The advent of PV inverters and EV charging systems has been marred by the industry's "rush to market" mentality, leading to overlooked security considerations. These critical weaknesses potentially allow remote attackers unprecedented control, with the ability to fully commandeer or even incapacitate these devices. Our investigation will reveal how targeting cloud platforms used by installers could unlock elevated access not just to PV inverters but also to EV chargers. This access includes functionalities usually restricted from the systems' proprietors, thereby opening a pandora's box of vulnerabilities.


Our presentation will demonstrate the alarming potential of such cyber-attacks to concurrently disrupt hundreds of thousands of PV inverters and EV chargers. This scenario could precipitate significant instability across national power grids, underscoring the systemic risks posed by the intertwined infrastructure of renewable energy and EV charging networks. At the core of these vulnerabilities are logic flaws embedded within the web portals designed for managing these systems. These flaws range from Insecure Direct Object References (IDORs) to more complex vulnerabilities that allow users to escalate their privileges to that of a platform administrator, all of which are susceptible to remote exploitation.


Moreover, we will dissect these vulnerabilities in detail, examining their origins in the development lifecycle and discussing methodologies for their identification and mitigation. This examination aims to propel a shift towards integrating security considerations early in the design and deployment of such critical systems.

In addition to technical vulnerabilities, our talk will also address the broader implications of these security weaknesses on public trust and safety. As renewable energy sources and EVs become pillars of our attempt to combat climate change, ensuring the security of these technologies is paramount. This presentation aims to catalyze a concerted effort among stakeholders—including developers, regulators, and users—to adopt a more vigilant and proactive stance towards cybersecurity.


This comprehensive analysis, enriched with case studies and practical recommendations, intends to elevate the dialogue on cybersecurity in the realm of renewable energy and EV infrastructure. By the conclusion of this talk, attendees will not only grasp the gravity and complexity of the challenges ahead but will also be equipped with the knowledge to contribute to a more secure, resilient, and sustainable energy future.