EVGO Warning - insecure service

[Mondo]

As a cybersecurity professional, I want to alert the community that EVGO, its app and chargers have some major security flaws and I would recommend not using them until these issues are addressed.

I was excited by the EVGO integration in the last update and signed up for an account. I registered my R1S's VIN on the account and entered my credit card details.
When I arrived at the charger, I plugged in but the autocharge+ feature didn't work. I tried several times and located the charger in the app and tried to start it from there. After several attempts as well as trying to use a credit card, it eventually started. I went for lunch. When I returned and hour later I checked my CC account and there were several charges and 2 separate charging charges - 1 for 10.70 and 1 for 44.22. Both were from the exact same time period (overlapping). Today, back at home, with the car in my garage, I got a charge on the CC that I was charging again (150 miles away). I opened the app to see the charge ongoing.

When I called EVGO they were very apologetic but the rep could not really do anything but stop the existing session and open a ticket with their 'backoffice'.

Some things that concern me coming from a cybersecurity perspective:

1) The chargers did not recognize my car even though it was registered as they claim it should have.
2) There is a non-interactive UI at the chargers so you don't know what is happening and can only control it from the app which is largely unresponsive.
3) The app has extremely poor UX and apparently can get miss-synced with or hijacked by another vehicle without warning or notice. I still cannot see what car is using my account. The claimed 'VIN recognition' is clearly not real.
4) The app does not have strong authentication and no option for MFA.
5) Others have claimed on the web that accounts are easily hijacked with just username and email. I haven't tested this as it would be a crime but beware.
6) Multiple CC charges are made frequently instead of just for the usage (see attached). This is confusing for users and you can miss an overcharge.
7) You cannot leave the service, remove your Credit Card, or close your account even if you call them. Apparently 'only the backoffice' can do any of these.

For now, until they get these issues resolved, I would avoid this app and service. I will give them a week to resolve the charges and then contact my credit card company.

Sponsored

 

[John G.]

Sorry to hear about your latest experience and concerns about EVGO. Thanks for the timely alert.

I'm putting the sign up of my account with them on hold until I hear more positive news about them. I wish all chargers could be as easy to use as Rivian's RAN Network.

 

[Aardvark]

Thank you for the timely warning. I just downloaded the app last night but had not yet created an account. It's not going to happen until this vulnerability is repaired.

 

[FooF]

Thank you for the timely warning. I just downloaded the app last night but had not yet created an account. It's not going to happen until this vulnerability is repaired.

Work perfectly for me just plug and charge after enrolling in autocharge.

 

[kewlasu]

I'm looking forward to know the outcome of this.

 

[COdogman]

Appreciate the heads up. Not much EVgo in my area but this would be enough to make me steer clear unless I had no other option.

 

[hevak]

I had similar experiences with their support and the fact that the “backoffice” had to fix things, but I’ve yet to hear about it. I was scouting an EVGO charger *on their website* that was 100s of miles away for an upcoming roadtrip and noticed it said “autocharge, learn more”. I clicked that and it immediately said “plug in your vehicle to activate autocharge” with no way to cancel out of it. Well…as you can guess, someone plugged in during that time and their car got paired to my account. I’ve spent a collective total of two hours on the phone with their crappy support trying to get the car unpaired (which still isn’t done) and their charges refunded. This should **never** be allowed to happen. It’s poorly designed.

 

[Mondo]

I had similar experiences with their support and the fact that the “backoffice” had to fix things, but I’ve yet to hear about it. I was scouting an EVGO charger *on their website* that was 100s of miles away for an upcoming roadtrip and noticed it said “autocharge, learn more”. I clicked that and it immediately said “plug in your vehicle to activate autocharge” with no way to cancel out of it. Well…as you can guess, someone plugged in during that time and their car got paired to my account. I’ve spent a collective total of two hours on the phone with their crappy support trying to get the car unpaired (which still isn’t done) and their charges refunded. This should **never** be allowed to happen. It’s poorly designed.

A clear violation of section 8 of PCI DSS. I would recommend not sharing CC data with them. The fact that it cannot be removed is also of serious concern.

 

[BigSkies]

The absolute incompetence of these charging companies is amazing.

Given the zero-employee service model, you think they’d be all about six-sigma type quality/reliability programs. As well as UX design that minimized confusion and potential points of failure.

Instead, it seems like they‘be outsourced every function they can to the lowest and least competent bidder.

 

[BigSkies]

I had similar experiences with their support and the fact that the “backoffice” had to fix things, but I’ve yet to hear about it. I was scouting an EVGO charger *on their website* that was 100s of miles away for an upcoming roadtrip and noticed it said “autocharge, learn more”. I clicked that and it immediately said “plug in your vehicle to activate autocharge” with no way to cancel out of it. Well…as you can guess, someone plugged in during that time and their car got paired to my account. I’ve spent a collective total of two hours on the phone with their crappy support trying to get the car unpaired (which still isn’t done) and their charges refunded. This should **never** be allowed to happen. It’s poorly designed.

You have more patience than I do. I’d give the company a chance to try to fix it in a maybe 15-30 minute call. I’m just going to call the credit card company after that.

Companies are happy to build crappy products and are willing to put up with a few irate customers just as a cost of doing business.

Want to know what will actually get their attention? Visa & JP Morgan calling and asking why they are in violation of their merchant acceptance agreement. The card dispute process is one of the few places consumers have any leverage left.

 

[hevak]

You have more patience than I do. I’d give the company a chance to try to fix it in a maybe 15-30 minute call. I’m just going to call the credit card company after that.

Companies are happy to build crappy products and are willing to put up with a few irate customers just as a cost of doing business.

Want to know what will actually get their attention? Visa & JP Morgan calling and asking why they are in violation of their merchant acceptance agreement. The card dispute process is one of the few places consumers have any leverage left.

The problem with chargebacks on a charging network is the risk of having your card blacklisted and being SOL when needing a charge.

 

[VSG]

cybersecurity professional

As a cybersecurity professional, posting a suspected vulnerability on a public forum like this without first contacting the company in private and giving them an opportunity to fix it first is highly irresponsible, IMO. Basically, IF this is a real issue, you've just endangered every EV owner who uses EVGo. And this is your first post here?

But I think much of your report is due to your misunderstanding. Let me address the individual points.

1) The chargers did not recognize my car even though it was registered as they claim it should have.

From your description, you entered your VIN in the app then expected autocharge+ to work next time you plugged in. ("I registered my R1S's VIN on the account and entered my credit card details. When I arrived at the charger, I plugged in but the autocharge+ feature didn't work")

That is not a correct expectation - enrolling in autocharge+ is a two step process. You need to enter your VIN first (if accepted, your app will say Pending autocharge+), then you need to initiate a charging session from the app (before you plug in) - this session is used to read your vehicle ID and associate it with the VIN you entered in the app. Only after this session the will the app show "Enrolled", and for your NEXT session you can just plug in and the charging will start automatically now that you're fully enrolled. The instructions for how to sign up for autocharge+ are pretty clear about this. I followed the instructions last week and they worked for me.

2) There is a non-interactive UI at the chargers so you don't know what is happening and can only control it from the app which is largely unresponsive.

It's not clear to me what interaction you expect to do here - the screen on the charger gives you instructions, and if you follow the instructions it moves to the next step. Once you get autocharge+ set up, the screen is purely for information display.

3) The app has extremely poor UX and apparently can get miss-synced with or hijacked by another vehicle without warning or notice. I still cannot see what car is using my account. The claimed 'VIN recognition' is clearly not real.

"Poor UX" is subjective, and you don't mention what you think is poor.

Hijacking a session is concerning, IF it is reproducible. I also don't understand what you think happened here. It is the app user that gets charged, and the only way for your vehicle to be associated with the VIN in your app is for you to swipe to initiate a charge first, then plug it and have the charger read your vehicle ID from the same plug you swiped on. I don't see how that session could be hijacked remotely unless someone else swiped to initiate the charge just before you plugged in to authenticate. Highly unlikely, and THEY would be the ones to get charged, not you.

I suspect either you or the other person entered their VIN incorrectly, and in the time between the "Pending" state and confirming your vehicle to reach "Enrolled" the other person entered a duplicate VIN. While this would be a problem, it's also of very limited scope because of the limited window of time between these two steps and you would have to enter a VIN of a vehicle that was in that specific intermediate stage of signing up. Duplicate VINs should not be allowed at any stage of the process, and this is certainly something that should be addressed if that is what is happening. It's also something you should report to the company first.

A simple fix, if you think your account was hijacked, is to delete your vehicle from the app, delete your old credit card from the app (you will have to add a new one), then you through the autocharge+ enrollment a second time. This time do it while standing at the charger.

4) The app does not have strong authentication and no option for MFA.

Reasonable. MFA could reduce problems caused by compromise of account name/password.

5) Others have claimed on the web that accounts are easily hijacked with just username and email. I haven't tested this as it would be a crime but beware.

Claiming "others said" is a cop-out. Either this can happen or it can't. You're the professional, so regardless of who said it YOU are repeating it and that means you are endorsing this even though you haven't bothered to confirm this on your own. You don't have to do anything illegal, as you should be aware - either try to break into your own account using this method or get explicit written permission from a friend, relative, or spouse to break into theirs. You can even create a second account for yourself for testing. Regardless, if you DO find a way to break in, contact the company first and give them a chance to fix it, don't just make this claim on an open forum.

6) Multiple CC charges are made frequently instead of just for the usage (see attached). This is confusing for users and you can miss an overcharge.

It's not clear to me where that image comes from - that's not from the EVGo app. But I see that most of those debits have corresponding credits -

-6.82

paired with

+6.82

for example. Those could very well be authorizations, not charges, and this could simply be EVGo authorizing your card when you plug in, then cancelling the authorization and making a real charge when you terminate the session.

My EVGo app only shows the actual charges, and I can drill down into the charge to see the details (time, energy delivered, transaction fee, energy fee, last 4 of credit card, etc.) Also, my credit card account does not show any authorizations for the last time I used EVGo. Perhaps because you used a physical credit card it needed to authorize it first, and perhaps because (as you said) you tried to initiate a session multiple times the authorizations went through then were cancelled when the session failed.

7) You cannot leave the service, remove your Credit Card, or close your account even if you call them. Apparently 'only the backoffice' can do any of these.

I'm pretty sure you can, but I haven't tried. This is a regulatory requirement. See https://helpcenter.evgo.com/hc/en-us/articles/10061341391383-EVgo-Account-FAQs for instructions how to do this.

 

[Mondo]

As a cybersecurity professional, posting a suspected vulnerability on a public forum like this without first contacting the company in private and giving them an opportunity to fix it first is highly irresponsible, IMO. Basically, IF this is a real issue, you've just endangered every EV owner who uses EVGo. And this is your first post here?

But I think much of your report is due to your misunderstanding. Let me address the individual points.

From your description, you entered your VIN in the app then expected autocharge+ to work next time you plugged in. ("I registered my R1S's VIN on the account and entered my credit card details. When I arrived at the charger, I plugged in but the autocharge+ feature didn't work")

That is not a correct expectation - enrolling in autocharge+ is a two step process. You need to enter your VIN first (if accepted, your app will say Pending autocharge+), then you need to initiate a charging session from the app (before you plug in) - this session is used to read your vehicle ID and associate it with the VIN you entered in the app. Only after this session the will the app show "Enrolled", and for your NEXT session you can just plug in and the charging will start automatically now that you're fully enrolled. The instructions for how to sign up for autocharge+ are pretty clear about this. I followed the instructions last week and they worked for me.


It's not clear to me what interaction you expect to do here - the screen on the charger gives you instructions, and if you follow the instructions it moves to the next step. Once you get autocharge+ set up, the screen is purely for information display.


"Poor UX" is subjective, and you don't mention what you think is poor.

Hijacking a session is concerning, IF it is reproducible. I also don't understand what you think happened here. It is the app user that gets charged, and the only way for your vehicle to be associated with the VIN in your app is for you to swipe to initiate a charge first, then plug it and have the charger read your vehicle ID from the same plug you swiped on. I don't see how that session could be hijacked remotely unless someone else swiped to initiate the charge just before you plugged in to authenticate. Highly unlikely, and THEY would be the ones to get charged, not you.

I suspect either you or the other person entered their VIN incorrectly, and in the time between the "Pending" state and confirming your vehicle to reach "Enrolled" the other person entered a duplicate VIN. While this would be a problem, it's also of very limited scope because of the limited window of time between these two steps and you would have to enter a VIN of a vehicle that was in that specific intermediate stage of signing up. Duplicate VINs should not be allowed at any stage of the process, and this is certainly something that should be addressed if that is what is happening. It's also something you should report to the company first.

A simple fix, if you think your account was hijacked, is to delete your vehicle from the app, delete your old credit card from the app (you will have to add a new one), then you through the autocharge+ enrollment a second time. This time do it while standing at the charger.


Reasonable. MFA could reduce problems caused by compromise of account name/password.


Claiming "others said" is a cop-out. Either this can happen or it can't. You're the professional, so regardless of who said it YOU are repeating it and that means you are endorsing this even though you haven't bothered to confirm this on your own. You don't have to do anything illegal, as you should be aware - either try to break into your own account using this method or get explicit written permission from a friend, relative, or spouse to break into theirs. You can even create a second account for yourself for testing. Regardless, if you DO find a way to break in, contact the company first and give them a chance to fix it, don't just make this claim on an open forum.


It's not clear to me where that image comes from - that's not from the EVGo app. But I see that most of those debits have corresponding credits - paired with for example. Those could very well be authorizations, not charges, and this could simply be EVGo authorizing your card when you plug in, then cancelling the authorization and making a real charge when you terminate the session.

My EVGo app only shows the actual charges, and I can drill down into the charge to see the details (time, energy delivered, transaction fee, energy fee, last 4 of credit card, etc.) Also, my credit card account does not show any authorizations for the last time I used EVGo. Perhaps because you used a physical credit card it needed to authorize it first, and perhaps because (as you said) you tried to initiate a session multiple times the authorizations went through then were cancelled when the session failed.


I'm pretty sure you can, but I haven't tried. This is a regulatory requirement. See https://helpcenter.evgo.com/hc/en-us/articles/10061341391383-EVgo-Account-FAQs for instructions how to do this.

Ah. The EVgo employee has arrived. My post is only to warn users of the risks. Blaming the users for your insecure service is a bad look.

 

[Mondo]

I'm pretty sure you can, but I haven't tried. This is a regulatory requirement. See https://helpcenter.evgo.com/hc/en-us/articles/10061341391383-EVgo-Account-FAQs for instructions how to do this

Ps. The instructions on this page refer to a menu in the app that doesn't exist and the call center has already informed me that it 'can only be done by the back office'. The fact that it says it can be done AND you think it can be done only makes this worse.

 

[COdogman]

Ah. The EVgo employee has arrived. My post is only to warn users of the risks. Blaming the users for your insecure service is a bad look.

@VSG brought up valid points. Accusing them of being an “EVGo employee” instead of responding directly to those comments doesn’t exactly support your case.

Sponsored