Researchers have raised concerns over vulnerabilities in several major electric vehicle charging networks that could allow hackers to “power-jack” chargers, accessing EV user data and leaving the electricity grid open to service disruption and failure.
With the EV adoption curve hitting a steep upward ramp in coming years, researchers at the Concordia Institute for Information Systems Engineering (CIISE) in California have underlined the critical need for operators of electric vehicle charging networks to close holes in the security of their chargers in a new paper.
“We are about to see an exponential rise of EVs on the road,” says supervising author Chadi Assi, a professor at CIISE. “But without a secure charging infrastructure, customers will be reluctant to commit to electric cars.”
In a paper released in Science Direct, the researchers outline techniques used to test EV chargers using reverse engineering and penetration testing: what they describe as the “first-of-a-kind comprehensive security and vulnerability analysis” of a number of EV chargers made by some of the industry’s largest manufacturers.
Without naming the 16 manufacturers, they say that there are vulnerabilities in firmware of the chargers themselves, and well as in mobile and web applications used to access them.
Worryingly, not one charger was infallible, the researchers found. All could be hacked and potentially infected with malware that could turn the chargers on and off remotely, access user data, or engage multi-charger denial-of-service attacks effectively shutting entire charging sites down.
If multiple chargers were taken control of at one time, malicious hackers could overload the local power grid potentially creating blackouts.
The research paper also seeks to offer solutions to EV charger operators, thankfully.
In some cases the remedy is as simple as insisting on strong authentication methods such as secure passwords at the user’s end and stricter firewalls. Other fixes could be more complex depending on the case.
“Each vulnerability has its own case and requires a proper level of sophistication to resolve,” lead author Tony Nasr said.
“Other, more technical issues are only solvable from the developer’s side. These typically require implementing more robust security checks and mechanisms into the management system. However, these patches necessitate a careful review and longer time to apply.”
He cautions that with the growth of the electric vehicle industry, the risk is becoming greater. One such EV-related security risk was identified recently by teenage hacker David Colombo who discovered he could use a third-party program to gain access to Tesla cars and control certain features such as deactivating Sentry Mode, or opening car doors and windows.
“We have noticed that the attack surface – in this case, the number of EVs, charging stations and thus management systems – is growing,” Nasr says. “And the more this attack surface grows, the more potential there is for widescale cyberattacks to exploit and leverage them to conduct malicious activities.”
Bridie Schmidt is associate editor for The Driven, sister site of Renew Economy. She has been writing about electric vehicles since 2018, and has a keen interest in the role that zero-emissions transport has to play in sustainability. She has participated in podcasts such as Download This Show with Marc Fennell and Shirtloads of Science with Karl Kruszelnicki and is co-organiser of the Northern Rivers Electric Vehicle Forum. Bridie also owns a Tesla Model Y and has it available for hire on evee.com.au.