a tinder box with a smart ignition, all snug in your house, seems like a great idea

People buy super expensive smart locks, with a special anti picking cylinder, but then as it has a solenoid you can open it with a strong magnet 😂

Hey, everyone! I've been delving into KZbin, focusing on storytelling and creative video-making. Recently stumbled upon VideoGPT, and it's been a total game-changer. My videos now have this professional quality that has really boosted my confidence.

Hasn’t anyone seen maximum overdrive!?!

Yes, it's obsurd to have most of these things on the network.

No Network Connection is how vast majority of Level 2 AC charger operate. They simply don't need a network connection.

It’s really not - why stop there? Throw your laptop away, don’t use a mobile phone, shun the internet. Their cure has become worse than the disease.

In the USA, 99% of these chargers are in peoples garages locked away. The big security risk for most people is in their filing cabinet. Where is the median doing a piece on the filing cabinets?

If you steal a WiFi password you can emulate the WiFi network and implement a man in the middle attack. Are you a security consultant or penetration tester?

​@@Kx0195that doesnt really matter, pretty much all connections like that are over TLS.

And you dont need to steal a wifi pass to impersonate a wifi network and do mitm.

@@Kx0195I am and the mod is correct

yeah those were my exact thoughts

The problem with that statement is the assumption the network is not vulnerable. Often we rely on the overall networks security to protect against low level fruit like this, but in truth and as seen in recent cyber attacks, many industries previously thought impenetrable have been hacked. In addition, highly targeted attacks against individuals do take place globally, any vulnerability, even one which affects a single individual, is a danger to all.

@@jacobp8294 Network vulnerability is a general concern (with any connected device/service) which I already mentioned.

I like how using a rPi is a “bug” just because it’s an open platform. What do they think about OpenEVSE?!

Well, if the manufacturer of the charger failed to add proper authentication to their APIs and the devices can be addressed through their sequential serial number, then any one can register an account and use those credentials to control all the chargers whose serial number they can guess. Of course the API should check that the charger the user tries to control belongs to the user but apparently that used not to be the case. Instead, they relied on the UI which only shows the user their own chargers but thats fairly trivial to bypass by using the same APIs the app uses.

In the uk the regulation requires that charge start and stop times have a randomised offset which is controlled in firmware not accessible to update or change.

You'd need far too many EVs for that to be an issue, and they'd have to be plugged in. The majority of chargers are in garages. Maybe thermostats, but most houses use gas heating. If you could gain remote access to every EV charger, you could pull it off, but that's like saying if you could get inside a vault you could perform a heist. It's not practical.

@@randomblock1_ said _"It's not practical."_ Does it need to be? Was the attack on the Iranian nuclear plant practical? I doubt when Putin says "Hack that network" that his hackers respond _"But that isn't really practical sir."_

​@@LabGeckoThe point is that it would take decades to do all that hacking. And by then the first chargers would have been replaced.

If you wrote a paper on this, than you can answer to me this simple question. if we have a small country for example avg 5gw daily peak, how many charger will have to be turned on to bring down the network?

Yup was coming to say the same lol

You missing the point.. They are connect to the power grid and they could take everyone down. Doesn't matter who the maker is. One weak company puts everyone at risk. Just like one lazy coworker opening an email put the company at risk..

@@CornelleJ That is not true at all. This video has no evidence. They did not show how it can be hacked. They only removed an rpi compute module from a box. but did they show the data is not encrypted on the box? Did they link any company announcement? Did they show any link to the vulnerability database? Also the video did not say how they can be used to bring down the network. The study is not linked.

@@buscseik Rewatch the video, they said the first 1 had 2 Vulnerabilities. Wallbox, hardware bug. 2nd was a remote attack. (smart phone attack), then Project EV had issue because of SN# for Creds.

@@CornelleJ Vulnerabilities has a public database. if this video would be true, these would be listed there, so the video could link them. Just for example, they made a screenshot of a study in the video published by IEEE. I checked if I can find the study on the IEEE website, but it is not there. Only two match, non of them were valid (one is a public file storing system, other is a website which signed by letsencrypt, which means, the site owner did not have to present id card or bank card to anyone to get the certificate, even a hacker could do that)

Raspberry Pi was originally set up as a school educational thing to help kids get into hardware and coding. I can't believe that some professional electronics designers haven't moved on from school level electronics class.

It's just laziness

Some of the Raspberry Pi units are intended for use as a component in a production device.

They are. They just recommend using the CM4 instead of CM3. Tons of commercial products use Pis. There's an entire "for industry" page on the Pi website

Stating a Pi is not for commercial use is quite dense. A Pi Compute Module is designed for development, but commercial breadboards and development boards use Pi as a headless computer to IO interface all the time instead of adding serial ports to bigger computers or replacing them all together.

I left the cybersecurity industry because I was tired of warning the C-suite and seeing deliberately negligent responses. If they want to answer to Congress, that’s their business. Not mine.

DDoS is totally irrelevant to this. That can be mitigated by a middleman like Cloudflare, and certainly doesn't matter in the context of hardware vulnerabilities.

They are legally required to give the company's response. Not doing so gets the journalism company sued.

And there are methods to bypass 2fa and car security. Also other countries have had attacks on their power grid. It’s not unheard of. Doesn’t have to be a hacker but a state actor as well. But it’s definitely sensationalist.

I am not a security expert, just a home user/engineer and these flaws they are pointing out are class A negligence! None of these products should have made it to a customer

Also, everyone forget there are fuses everywhere in the electricity network :)

I think the point is that there are no standards keeping companies to a bare minimum of security. How many consumers do you know that search for security vulnerabilities before buying a product? I'm regularly telling friends and family about security holes and can't get them to check ahead of time. How diligent is the general public? And given that's their target audience, how diligent do you think companies are about security and safety when they need to get those numbers up for the next quarterly report?

@@LabGecko Just look at how many products claim to be "smart" Look at how easy it is to be a high paid idiot in marketing vs how hard it is to be an engineer producing products they are then responsible for. Instead of just paying the least amount for the highest review rating, we need to start looking at every product and ask, "is this working FOR me or AGAINST me??? Is turning my appliance on from anywhere in the world really worth exposing myself to hackers from anywhere in the world????

almost like its a weapon from china

Raspberry Pi OS is as good as any mainstream linux server in terms of security. The "problem" is the ability to easily remove and modify the compute module. That is not a serious attack vector as it requires prior physical access to each and every target device. This is not going to happen.

because it doesn't contain sensitive data. it's just your wifi password

@@SegFaultOnLine1984 Isn't your wifi password fairly sensitive data?

Because many people are stupid. Older tech is usually better and for some reason, people feel a need to "upgrade" everything. Our locks at my apartments were "upgraded" from lock and key to digital cards. It gives the landlord more info, but the batteries need to be replaced yearly (six AA batteries per lock) and I wonder about security. The old locks and keys worked 100% of the time.

@@Djamonja not really, anything that connects to your home network and is outside your house is fairly susceptible to these sort of attacks. Gaining access to your wifi password is pretty pointless for pretty much any malicious actor anyway considering they actually need to be outside your house. And the bank details part is pure fear mongering because of https.

@@SegFaultOnLine1984 Once they have your Wifi password, can't they sit in a car near your house and access your network?

We’ve just been fudded: “we’ve created weapons” 😬

Yeah, the verbiage was a bit over the top. But the scenario is real enough. There are plenty of nation states paying big money for attacks on grids. Browse Darknet Diaries if you need examples.

Imagine someone hacking a plane you fly in? Why don't you express worry about that? Because you know the companies flying have every incentive to make that as difficult as possible. Cars are no different.

@@lawrencefrost9063 they aim laser pointers at planes and try to dazzle the pilot. In China people are aiming the lasers at the cameras controlling the car. It blinds autonomous vehicles. This is why LiDAR is extensively used.

As someone who works with self driving cars. The amount of stuff you would need to do in order to hack it and gain control would be pointless. You could only move 3mph for a few feet.

@@OneManOnFire absolutely, if someone is intent on causing problems then either stopping it physically or make it veer off course would be the option.

@@OneManOnFire buddy my point was that even if its to hard but few feets could cause series of serious accidents on certain scenarios

Wi-Fi is designed to be somewhat safe... but it doesn't make bad designs good

You think cellular is safer?

Facebook is already here bro

Yet, this simply won't occur. People shall use IoT devices. That's not a solution.

In the UK there is dynamic pricing for ev charging, needs a network connection

Until it's illegal to sell customer data this will remain a base corporate business model.

I don't understand why IOT device manufacturers insist on cloud first connection and not local connections for things.

@@Sparky400 So they can revoke your access whenever they feel like

Connecting and selling data is a base business model for most companies today

That's not true. The National Intelligence Law indeed forces any private organisation to provide the PRC government with any information they demand, but that doesn't mean that the companies need to create the capabilities to control every aspect of the products they provide. I doubt that many car manufacturers can be bothered to connect the brakes in the manner you purport.

It is true actually. In many areas of China, Teslas have been banned because they pose a security risk to the Chinese gov. It's discussed in a lot of detail on the serpentza channel.

@@RokeJulianLockhart.s13ouq Every major Chinese company has a party representative sitting in each company building. I doubt he's just there for show.

@@LabGecko Where'd you learn that from?

Someone has lied to you 😆

@@LabGecko what do you mean?

It would be one car I'm not trying to find

They also need a screwdriver to pop the panel open to access the ignition switch.

By design lol

someone never heard of lock picking lawyer

@@SgtJoeSmithsomeone’s never heard of cameras. If you have a Tesla you **most** likely have cameras

@@ItzAwsomeWasTaken but what if you are wearing black pants and black hoodie and black skin? you look like all the rest of them

But the warlock is your best sega nintendo player

en.wikipedia.org/wiki/Michael_Hastings_(journalist)#Controversy_over_alleged_foul_play

No one is hacking cars. This is just WSJ bs

@@robertjamesonmusic I mean, if a vehicle has to rely on smart technology, that kind of tech could possibly be tapped into

Somebody on bbc news not having the word watchdogs

I was wondering the same. Its not even a charger but a poweroutlet.

And it is quite funny that all these companies say they value security, but yet they fail horribly and fall flat on their face using the same old repeated mistakes! It is 2024, how are you even able to access these devices based on serial number? Some doofus made a quick implementation and it was deployed without anybody checking if the password to the device was ON the device? Wow.

Corporations make money selling user data to advertising. Connecting is a data source. Until it's illegal, they won't change.

@@LabGecko So predicated on ad revenue the entire backbone of a global technology/infrastructure has been subverted to being a cyber target buffet!

Everybody should learn to ask politicians support for upkeep the things that matter to us.

Yet vast majority of Level 2 AC chargers are NOT connected to the internet.

Finally! Someone else who also knows how this works. 100% correct.

you don't realize how easy it is to bring down a power grid as once you bring down enough portions of the grid the rest has to shutdown due to the grid going out of frequency to prevent damage to important power grid equipment yes its that easy welcome to the world of running a machine that's hundred if not thousands of miles wide

@@KILLKING110 As demonstrated since I’m aware of the tea time engineering issue, I *do* realize. You won’t be taking out any part of the grid with a minor EVSE exploit like this. Exploiting an IOT clothes dryer would be more impactful by far. Most private EVSEs are the portable kind included with their EV. Of those that have permanent installations (not just a socket), most don’t have any fancy scheduling, Internet connectivity, or authentication of any kind (just a fancy extension cord). Of those who have an IOT EVSE, only a portion have this brand. Of those only a portion have this model. Of those only a portion have exploitable firmware. Of those only a portion will be at home. Of those only a portion will be plugged in. Of those only a portion won’t be charging or charged. Of those standing by only a portion would be oblivious to the uncommanded charge or delay.

is it though?

Indeed. The issues they're referring to are with the software, not hardware (except that the covers aren't locked).

The amount of e-waste created by using a custom PCB is essentially negligible. Did you ignore the board it's actually connected into?

@@Z0DI4CThat always depends upon the scale.

Vulnerabilities have continued to show up, and be swatted, by all companies involved. It's getting better, but there should have been minimum standards in place instead of this _"we'll fix it when someone finds a way in"_ mentality.

Correct.

Who it was was it Xiaomi to begin making cars?

If that wasn't Pawel Czerwony words you won't know, but building technology is as so.

Fuel pumps aren’t connected to the vehicle in the same way. Also, no private owner has a fuel pump on the wall of their house 😉

@hughM9 fuel pumps / systems fail. It starts fires 280 k Xs a yr. Most houses do have a fuel pump/ system wired into their furnace.

And just by using a "flipper" you can hack the RFID. D'oh!

Except in cases it is desirable to throttle the amount of power given to the car, for instance when you want to balance the grid.

Criminals are reading specialized forums, not a mainstream media channel reporting outdated stuff.

You're right- it's factually incorrect. The actual charger and battery management system is part of the car. The wall box "charger" is nothing more than a power switch that communicates with the in-car charging circuit, telling it what the limit of power it can suck out of the wall.