WSJ is really, really, really, bad at technology reporting
The reporting in this piece is so bad. I have to wonder if the pen tester here took advantage of the WSJ’s total lack of awareness around how this stuff works, or the WSJ’s editorial staff knowingly embellished a story about how bad Wallbox is at IoT Device design.
I should probably let stuff like this go, but the sheer audacity (or maybe ignorance) displayed in this “WSJ Explains” is mind-blowing. First, that Wallbox is so bad at IoT design. WTF were they thinking using a removable, DIY, hobbyist SOC to drive their EVSE? I, personally, as a normal person can design a custom ESP32 board and have a 3rd party make it and assemble everything for me for a totally affordable price per unit. That they went out and bought Raspberry Pi (RPi) instead is bonkers.
I’m going to make some assumptions about the level of security on the RPi module itself. The details around this “hack” are sparse so forgive me if I get somethings wrong here. Let’s assume that the file system is unencrypted and the Wi-Fi credentials are unencrypted. Hopefully they weren’t and that’s just something that is conveniently ignored. If that is the case, that’s on Wallbox. That’s bad design, but physical access to a system, any system, means ownership of that system. The only variable is time. The question should be is what does owning that device get you in this context?
Short answer, for most people, is not that much. Unless you have local network services on your home network each device on that network will have its own layer of security. Most devices on a home network are designed to communicate through The Cloud using encryption (usually TLS). Access to your bank would be difficult, and highly unlikely, contrary to the claims made in the video.
Worst case for most folks is that the hacker could DoS your printer.
I’m sure you all are putting all your IoT devices on segmented, isolated, IoT specific networks. So this is even less of a risk for us.
The other claim that really gets me is around the risk to the grid. That’s simply untrue. Charging isn’t controlled by the EVSE, it’s controlled by the car. Closing the contactors in the EVSE (i.e. turning it on) won’t do anything unless the car asks for current. If it’s in a state where it will charge, it will only charge up to the allowed state (usually 80%).
Now, that might mean that your electricity bill will go up if you have a time-of-use plan, but that’s not risking the grid unless the grid is super sketchy in your area. Which isn’t a new risk, hack, or really anything more than a way to highlight that maybe the grid in your area needs more attention.