Skip to main content

I have a 2 year old (electric) Renault Zoe and I have our own car charger.. After installing the charge anytime app, everyhting went haywhire. First of all, after waking up the next day I could not get into the car - tried both remote keys. Had to extractthe emergency metal key to open front doors. It was evident the 12V battery was flat. Opened the bonnet and confirmed the 12 Volt battery showed about 5V instead of c 12.7 volt. Called Reneault emergency and was directed to RAC who came 7 hours later and confimed battery flat. They gave a quick charge and after 15 minutes all was well. (The car range was shown as 170 miles).

Meanwhile when I plugged my hybrid care into same chager it was not recognised and I could not charge it without “re-booting” the charger by switching the power off then on agin to thecharger. never happened before.

Next day, went to look at the Zoe to fin all dorrs unlocked and all lights on both in car and the navigation lights! Could not lock car. Decided to attempt to drive car, without my remote key in the care!! And the care was drivable, without the key! Anyway got key and then drove round the block (about 1 mile) and back - got out of car and car locked and lights went out with door irrors retracting as usual.

Decided to remove the Renault app from mobile phone and all was well with both cars - all returned to working as usual.

Re installed the Ovo app to phone and same problems again.

Ovo was helpful but after a few days said their engineers say nothing to do with the Ovo app - must be a problem with the care and advised to take it it to dealer. Not doing that - we willlivewithout the app. Shame.

Good evening @richardgc ,

This comment was posted by a Forum Volunteer. It is not the official response of OVO or Renault.

This sounds to me like you either have a fault with your vehicle, or you have discovered a possible security vulnerability. Just in case it’s the former, I strongly recommend that you get it to the dealer for inspection and possible repair ASAP because that fault may well get worse. If you don’t, well you risk having a ticking time bomb sat on your driveway.

In the alternative, if you have discovered a potential security vulnerability, then you should have informed both OVO and Renault privately first via proper channels. Doing so properly via Responsible Disclosure can potentially result in you being awarded a Bug Bounty which in turn could lead to a cash reward.

Alas, you have posted publicly and potentially leaked a security bug, which means I’m afraid you have unfortunately forfeit any chance of scoring a Bug Bounty and won’t be eligible for any rewards even if you found a valid security bug. I will have to escalate this to the Forum Moderators immediately just in case this is a security flaw that OVO needs to deal with. That escalation will be raised shortly after I post this response. Likewise, I will discuss with them as to whether this needs to be sent to the security response team at Renault.

Please bear with me. This… May take some time...

Blastoise186.

I do not know who you are or who you represent. I will tell you that Ovo is aware through proper means of the problem and I also made contact with Renault Customer Services. Ovo did take the problem seriously and I am indebted for their assistance. They say get car checked by Renault and at present it is booked in for a check - but they could not take the car in for 6 weeks as both dealerships I called said they are busy. They would not put me through to and engineer as both dealerhsips says engineers don’t take calls from users!.

I mentioned before that the car has been fine since we removed the app and my plug-in hybrid accesses the charger as before without any need to “re-boot” the charger.

I’m just an independent forum volunteer. I don’t work in either the energy nor car industries. However, I do work in IT and have a cybersecurity background.

OVO Support might be aware of what you’ve said, but that’s not the same as raising a security alert via Responsible Disclosure to OVO and Renault - those reports have to go a different way.

For OVO it’s https://ovoenergy.com/security and infosec@ovoenergy.com 

For Renault it’s https://www.renaultgroup.com/en/vulnerability-disclosure-policy/ and alert.cyber-security@renault.com 

I would highly recommend you send an email to both of those and explain the situation. You may want to also send them a link to this forum thread as well. It’s possible that it’s not just you that this issue affects - and both companies would appreciate it if you let their security teams know as a precaution.

I have notified OVO’s Information Security Team via email this evening as a precaution. But in future, if you think you’ve found a security issue anywhere, please refrain from posting about it publicly - most companies have private channels for doing so and there are directories like Bugcrowd and Hackerone that can help you find the details of where to go.

Hey @richardgc 

 

I have reached out to the team about this. 

 

I’ll pop back on here when I’ve got an update from them.

Hi @richardgc .

 

Really appreciate your patience while we’ve looked into this for you. 

 

There’s no evidence of a security issue with the app and we don’t send any commands to the car outside of charge start/stop.

 

We’d like to look into this for you so have dropped you a PM.

Reply


Terms & ConditionsCookie settings