Do EV Chargers Present a Cybersecurity Risk?

Electric vehicle chargers present a unique cybersecurity risk. With enough knowledge, threat actors could tamper with cars or even turn off sections of the power grid. Addressing these security concerns is crucial since they will only grow as demand increases.

Why Are EV Chargers a Cybersecurity Risk?

EV chargers are a cybersecurity risk because most are unsecured and highly interconnected. Often, the units receive few updates and little oversight, so the issue only grows as their number increases.

As the attack surface expands, it becomes easier for hackers to find new vulnerabilities. In 2021, the United States announced its goal to add 500,000 stations to the existing 100,000 with a $15 billion investment. After a fivefold increase like this, the country’s cybersecurity risk will grow significantly.

Who Is at Risk of a Cybersecurity Incident?

Every person using EV chargers or operating on a connected network is prone to a cybersecurity incident. Arguably, everyone is at risk, considering hackers could affect the power grid if they wanted.

Drivers using slow chargers may be more at risk because they spend more time connected to a potentially infected unit. Since quick charging is more expensive, most choose to take their time to save money. Doing so may make them more prone to a cybersecurity incident.

How Are Charging Stations Vulnerable?

Charging stations have a variety of vulnerabilities because of their weak security measures or external connections. For instance, manufacturers and installers often integrate stations into building automation or management systems to monitor and control charging. The attack surface broadens because of this, increasing the risk of a cybersecurity incident.

These are some of the known vulnerabilities affecting EV chargers:

• Malicious data injection: Anyone can collect network keys and inject malicious data into network sessions.

• Faulty display: Hackers can use malware to falsify a display’s battery charge level.

• Charging session disruption: Using software-defined radio running on less than 1 watt of power, hackers can wirelessly abort a charging session from nearly 155 feet away.

• WiFi tampering: With home charging stations, attackers can leverage unsecured networks to exploit many of the same system vulnerabilities.

  
  

The demand for EVs is incredibly high and only growing, meaning there are likely many more vulnerabilities the general public isn’t aware of.

What Cybersecurity Risks Do EV Chargers Pose?

Spoofing, data theft, session disruption, and system tampering are some of the main cybersecurity risks of EV chargers. Each vulnerability leads to significant adverse outcomes.

These are some of the most potentially severe cybersecurity risks:

• Information theft: Individuals can steal personally identifiable information — like credit card numbers — after exploiting the EV-to-charger connection. The absence of transport layer security on public stations makes them incredibly susceptible to side-channel attacks.

  
  

• Distributed denial-of-service attack:  If a hacker systematically hijacks chargers with a DDoS attack, they could bring down the power grid. In 2019, researchers at New York University Tandon found they only needed to exploit 1,000 EV-to-charger connections simultaneously to blackout entire sections of a city.

  
  

• Credential theft: With malicious data injection, a hacker could steal credentials to spoof an EV. They could hijack charging sessions or launch a masquerade attack with this method.

  
  

• Man-in-the-middle attack: Hackers can spoof the connection between the charger and the vehicle. At best, this could result in power theft. At worst, it involves falsifying malfunction errors to prevent the EV from charging or operating effectively.

  
  

• Charging session disruption: It’s possible to extract a vehicle’s GPS data to manipulate how the station views its location, disrupting the charging process with similar effects to a DDoS attack.

With enough knowledge, someone could bring entire sections of the power grid down using only a few charging EVs. They could also engage in a mass identity theft campaign or disable cars from operating.

Who Is to Blame for the Charger Vulnerabilities?

If anyone is to blame for charger vulnerabilities, it’s the federal government and suppliers like Tesla and Electrify America. They’re among the biggest providers of public charging stations, meaning cybersecurity is primarily their responsibility.

In January 2023, an individual took complete control of an Electrify America public charging station using only his phone. The vulnerability was evident because the unit’s screen displayed what looked like the back end. He accessed its internal computer after only a few seconds.

He only tampered with it to show his followers the vulnerability, admitting someone with more knowledge could skim personally identifiable information. While Electrify America made a statement admonishing his actions — stating unauthorized access is potentially a serious crime — it didn’t immediately take action beyond making a vague statement about investigating.

Is Anyone Addressing the Cybersecurity Concerns?

While some governments and companies have taken steps to address the cybersecurity concerns of EV charging, there are no widespread requirements as of 2023. Since there is no standardized protocol to follow, it effectively weakens the integrity of all systems.

Industry experts project EVs will make up 45% of new automotive sales by 2035, making nearly 50% of all passenger vehicles electric. Government incentives may increase this figure even further. Since more will soon be on the road, who will monitor them and ensure they’re secure?

The United Kingdom is among the few countries that have taken steps to increase charging station cybersecurity. It requires they have credential authentication, data encryption, and information deletion options. Service providers must also provide regular updates to minimize the chances of vulnerability exploitation.

As of 2023, the United States Federal Highway Administration and Department of Transportation have only established minimum cybersecurity standards for projects the government funds. While the requirements are a step in the right direction, their applications are incredibly narrow.

To address the cybersecurity concerns of EV charging, the government must step in to mandate minimum security measures and consumer safety requirements. This approach is especially critical, given how many of these vehicles will be on the road by 2030.

The Future of EV Charger Cybersecurity

Most charging stations aren’t secure because companies, installers or the buildings they connect to are lenient with cybersecurity. If EVs are to be the future of consumer transportation, they must address concerns swiftly.