March 20, 2024

cybersecurity in a parking structure

One of my personal favorite ‘cybersecurity in a parking structure’ stories occurred in the early 2010’s. And yes, remarkably, I have more than one ‘cybersecurity in a parking structure’ story.

My job at the time was to go on site for various clients, including private companies and government departments, and test the security of their office and datacenter networks. I’d simulate the actions of a malicious actor seeking to gain access to their data, and if I was able to do so, I’d write a report of all the ways I did it, and they’d go and fix the problems that allowed me to do that. Or at least, sometimes they would. They were supposed to, anyway.

On this particular occasion, I’d arrived on site at the clients facility, but my point of contact who’d I’d be working with was running late. The site in question was in Birmingham (the UK version, not Alabama), and was a small office complex belonging to a local government department. Since I was waiting, I sat in the parking lot, which is known as a ‘car park’ in local terminology, and was fiddling around on my laptop. A laptop, which, given the era, likely weighed 18 pounds, had an external wireless network card, and boasted a twelve inch screen with a lot of colors, but by no means all of them.

While I was playing, I noticed the wireless network that clearly belonged to the client, and had a brain wave. Perhaps I could start the test from outside the building, in the parking lot. If I could break into the wireless network, I’d be as good as plugged in inside the building. I sent a quick text message to my point of contact to get the approval, and he replied with a ‘yeah, go for it’.

So I did, I began testing by cracking the wireless network encryption and getting on the network. That process took around fifteen minutes. Breaking the particular type of encryption they were using, known as WEP, just relied on collecting enough data to crack the encryption key, and running the collected data through some easy to obtain software tools. WEP was ‘broken’, and had been broken for some time.

Once I was on the network, while still sitting in my car, I commenced regular testing duties, which involved scanning the network for targets (other computers and servers) and figuring out ways to break into them. A couple more minutes passed, and I found a server running a very old bit of backup management software, which I knew had a pretty serious known vulnerability in it. I was able to exploit that vulnerability, and within half an hour of starting my parking lot based shenanigans, had full access to the entire agency - because that software was running with administrative level permissions. The test was complete, and I hadn’t even left the car. My point of contact arrived a few minutes later, and suggested that I could now ‘start the test properly’. I had some bad news.

The moral of the story is this, and it's just as true today as it was in that car park in 2010. Wherever we put connectivity it brings with it two things, opportunity and risk. The opportunity afforded by this agency's wireless network was a more connected workforce in their office, with better access to all the IT tools they need to do their jobs - and quite frankly, something we’ve all become accustomed to these days. The risk, you take an important element of access control away from the confines of the network cables and hardware in the building, and rely on a different set of access controls that are applied on the radio waves now carrying the data, and someone in a car parked nearby can remotely manipulate them to gain access to your stuff.

So, what, should we just shut down all wireless network connectivity, is that what you’re saying? No, of course not. I mean, in some places you won’t find wireless network connectivity, but those places are usually highly sensitive military or intelligence facilities, and not the local Panera Bread. Like all technologies, you have to be aware of both the opportunities and risks, and layer on security controls as appropriate.

Which brings me on to how we do things at Xeal. Our EV chargers are a perfect example of both maximizing the opportunity afforded to us by the presence of wireless connectivity, but in a way that dramatically reduces the risks associated with it. You won’t find a network cable, or a wireless network adapter in a Xeal EV charger. You won’t find yourself having to run connectivity into your parking lot to allow our chargers to talk to some cloud service provider - just so they can be used. 

Xeal increases your opportunity surface, without increasing your attack surface.

A Xeal charger is a smart charger, sure, but it’s a smart charger like no other. It’s a smart charger with the street smarts to know this isn’t a perfect world, and while there is often connectivity around us, it’s never guaranteed. So, instead of relying on someone else's connectivity, or forcing property owners to expose their networks in ways that make them more susceptible to attacks - like the one I conducted in the parking lot in 2010, the Xeal Apollo is leveraged to send data when it needs too, before retreating back into the fog of all the other infrastructure that relies on always-on connectivity, and allowing them to fight it out amongst themselves.

This model is especially important when it comes to EV charging infrastructure, because it’s critical infrastructure. It’s not becoming critical infrastructure - it is critical infrastructure, today. EV charging infrastructure has to be built with a critical infrastructure mindset, which interestingly enough, means it should have more in common with those top secret intelligence facilities we discussed earlier. I know they are a secret  - so there is no way of knowing for sure, but I’m reasonably confident that those facilities don’t just pack up and go home if they can’t connect to the cloud and process a payment. 

Critical infrastructure is, and always will be a prime target for malicious actors - because it is just that - critical. This is why it is important to fully understand the security and risk around the infrastructure you are adding to your property. After all, when you invest in EV Charging infrastructure, you are investing in critical infrastructure. Make a wise investment.

To learn more about how we do security at Xeal, check out: https://xealenergy.com/security/.

Mike Sheward - Head of Security, Xeal

More from the blog