EV chargers vulnerable to attack


Many EV chargers, both home and public devices, have been shown to have security flaws – and strong standards are still lacking.

Last April, drivers on the UK's Isle of Wight were startled to discover pornography appearing on the screen of electric vehicle charging points in the local council's car parks.

The chargers had been hacked to redirect to a porn website following a change of network.

Similarly, and around the same time, charging stations along Russia’s M11 motorway between Moscow and Saint Petersburg started displaying pro-Ukranian messages after being hacked.

And while these cases are probably more amusing than dangerous, that isn't always the case. Two years ago, an investigation by the consumer group Which? found that home chargers from Pod Point suffered from a security vulnerability that exposed the full names, home addresses, and car-charging history of more than 140,000 customers.

Such examples may be only the tip of the iceberg, with security experts warning that there could be far more cases to come. An investigation from cybersecurity firm Pen Test Partners, for example, revealed vulnerabilities in six EV home charging brands and public charging network Chargepoint that could have allowed a hacker to hijack user accounts, impede charging, and even access the owner’s home network.

New attack vectors, new risks

In a new report, automotive security firm Upstream warns that EV chargers are now the leading attack vector in the sector.

Risks include the disruption of operations, theft of customer information, including payment information, and fraudulent payments, as well as the takeover of charger networks for use as bots in distributed denial-of-service (DDoS) attacks.

It's even been suggested that EV charging stations could pose a security risk to the national grid by causing instabilities, following research from the NYU Tandon School of Engineering.

"In simulations using publicly available information about charging station usage in Manhattan and the structure of the island’s power grid, our research team found that a fleet of just roughly 1,000 simultaneously charging electric vehicles would be adequate for mounting an attack whose effects could rival the blackout that affected the city’s West Side last month," commented assistant professor Yury Dvorkin.

The problem is the broad range of communications carried out when a car plugs into a charger. The vehicle, the charger, the driver's phone, the payment gateway, the management system, and the electricity grid are all involved, making for a significant attack surface.

Emerging standards

There are moves towards the introduction of security standards for EV charging stations. In the US, the National Highway Traffic Safety Administration (NHTSA) provides recommendations on software security for manufacturers. However, there are no mandatory standards.

It's the UK that leads in terms of EV charging security, thanks to new legislation introduced at the end of last year.

All home chargers must now comply with authentication standards and encrypt data. They must also allow owners to change settings to easily delete their personal data if they wish, and must be able to check regularly for security updates.

They must conform to Secure Boot standards, run only signed firmware, and must not include hard-coded security credentials.

Meanwhile, the Open Charge Point Protocol (OCPP), developed by the Netherlands-based Open Charge Alliance (OCA), is a communication protocol for charging stations and network management systems. It's aimed at not only improving interoperability between different car and charger manufacturers but also at protecting against some of the more common attack scenarios, such as server hijack, communications eavesdropping and charging station impersonation.

And the International Standards Organisation (ISO)'s ISO 15118.20 standard includes plug-and-charge capability, with security certificates used to automatically identify the EV to the charger and authenticate a payment method, as well as describing how data should be exchanged when energy stored in the EV battery is sent to the grid.

Unfortunately, though, these standards have by no means been fully adopted by the industry.

Research from Sandia National Laboratories has found that charging infrastructure still contains a number of vulnerabilities ranging from the ability to skim credit card information to using cloud servers to hijack an entire electric vehicle charger network.

"The government can say ‘produce secure electric vehicle chargers,’ but budget-oriented companies don’t always choose the most cybersecure implementations," says Brian Wright, who has been working on the project.

"Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices."