Renault Zoe app does not work with Ovo Charge Anytime app.

Good evening @richardgc ,

This comment was posted by a Forum Volunteer. It is not the official response of OVO or Renault.

This sounds to me like you either have a fault with your vehicle, or you have discovered a possible security vulnerability. Just in case it’s the former, I strongly recommend that you get it to the dealer for inspection and possible repair ASAP because that fault may well get worse. If you don’t, well you risk having a ticking time bomb sat on your driveway.

In the alternative, if you have discovered a potential security vulnerability, then you should have informed both OVO and Renault privately first via proper channels. Doing so properly via Responsible Disclosure can potentially result in you being awarded a Bug Bounty which in turn could lead to a cash reward.

Alas, you have posted publicly and potentially leaked a security bug, which means I’m afraid you have unfortunately forfeit any chance of scoring a Bug Bounty and won’t be eligible for any rewards even if you found a valid security bug. I will have to escalate this to the Forum Moderators immediately just in case this is a security flaw that OVO needs to deal with. That escalation will be raised shortly after I post this response. Likewise, I will discuss with them as to whether this needs to be sent to the security response team at Renault.

Please bear with me. This… May take some time...

Blastoise186.

I do not know who you are or who you represent. I will tell you that Ovo is aware through proper means of the problem and I also made contact with Renault Customer Services. Ovo did take the problem seriously and I am indebted for their assistance. They say get car checked by Renault and at present it is booked in for a check - but they could not take the car in for 6 weeks as both dealerships I called said they are busy. They would not put me through to and engineer as both dealerhsips says engineers don’t take calls from users!.

I mentioned before that the car has been fine since we removed the app and my plug-in hybrid accesses the charger as before without any need to “re-boot” the charger.

I’m just an independent forum volunteer. I don’t work in either the energy nor car industries. However, I do work in IT and have a cybersecurity background.

OVO Support might be aware of what you’ve said, but that’s not the same as raising a security alert via Responsible Disclosure to OVO and Renault - those reports have to go a different way.

For OVO it’s https://ovoenergy.com/security and infosec@ovoenergy.com 

For Renault it’s https://www.renaultgroup.com/en/vulnerability-disclosure-policy/ and alert.cyber-security@renault.com 

I would highly recommend you send an email to both of those and explain the situation. You may want to also send them a link to this forum thread as well. It’s possible that it’s not just you that this issue affects - and both companies would appreciate it if you let their security teams know as a precaution.

I have notified OVO’s Information Security Team via email this evening as a precaution. But in future, if you think you’ve found a security issue anywhere, please refrain from posting about it publicly - most companies have private channels for doing so and there are directories like Bugcrowd and Hackerone that can help you find the details of where to go.

Hey @richardgc 

I have reached out to the team about this. 

I’ll pop back on here when I’ve got an update from them.