Then in that case, shouldn’t only the credit card machine be exposed to the internet, and the charger itself only expose the API for authorising charging to the credit card machine? The issue here is that the charger is a “smart thing” and exposes literally every system API to the internet. So instead of merely being able to de-authorise a charging session (falsely tell the charger you’re done charging and return to the “please pay to continue” screen), they can straight up brick the charger, steal data, or possibly even damage the car or halt and catch fire in a badly designed system.
Then in that case, shouldn’t only the credit card machine be exposed to the internet, and the charger itself only expose the API for authorising charging to the credit card machine? The issue here is that the charger is a “smart thing” and exposes literally every system API to the internet. So instead of merely being able to de-authorise a charging session (falsely tell the charger you’re done charging and return to the “please pay to continue” screen), they can straight up brick the charger, steal data, or possibly even damage the car or halt and catch fire in a badly designed system.