Timon Hackenjos and Jeremias Mechler and Jochen Rill, 2018

Ingmar Baumgart and Matthias Boersig and Niklas Goerke and Timon Hackenjos and Jochen Rill and Marek Wehmer, IEEE, 2019

The home Battery Energy Storage System (BESS) industry is on the rise [1]. Newer models are built as Internet-connected devices that offer new service models for customers and manufacturers alike. This approach, as can be observed from emerging Internet of Things (IoT) devices in the last decade, brings new challenges and issues with it. First of all, threats to user privacy and botnet attacks come to mind. More importantly, there are now substantial advances to put flexible BESS in more critical roles in the power grid and let them provide primary balancing power in order to compensate fluctuations [2]. However, while the safety properties of such systems are currently being explored by researchers [3], their security is mostly unexplored and unregulated. To explore the state of security of residential BESS, we systematically analyzed commercially available storage systems from ten different manufacturers, who have a combined market share of more than 60 percent in Germany [4]. We show that all of them have security issues and four of them contain severe security flaws. In order to exemplify the deficit in the industry to properly secure Internet connected devices, we present three attacks in detail.

Roland Gröll and Timon Hackenjos and Alexander Koch and Bernhard Löwe and Jeremias Mechler and Jörn Müller-Quade and Jochen Rill, Springer International Publishing, 2019

EMV, also known as Chip and PIN, is the world-wide standard for card-based electronic payment. Its security wavers: over the past years, researchers have demonstrated various practical attacks, ranging from using stolen cards by disabling PIN verification to cloning cards by pre-computing transaction data. Most of these attacks rely on violating certain unjustified and not explicitly stated core assumptions upon which EMV is built, namely that the input device (e.g. the ATM) is trusted and all communication channels are non-interceptable. In addition, EMV lacks a comprehensive formal description of its security.