Electric Vehicle Charging Networks Are Vulnerable to Hackers “not dissimilar from many modern IoT devices”

By B.N. Frank

Experts have been warning about vulnerabilities associated with Internet of Things (IoT) technology for years (see 1, 2, 3, 4). Now experts are warning that IoT technology being used for Electric Vehicle (EV) charging stations also carries significant risks.

From Ars Technica:

How big is the risk that someone will hack an EV charging network?

EV chargers are on the spectrum of the Internet of Things, and that means risk.

Gordon Feller

There are many good reasons why an EV charger should be networked, but it does come with vulnerabilities.

The Infrastructure Investment and Jobs Act, as passed by Congress last November, authorizes $7.5 billion to help meet US President Joe Biden’s goal of installing 500,000 stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.

For the past several years, hackers have been busy aiming their attacks at electrical system vulnerabilities. In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) have suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.

Hackers perpetually seek out ways to use any and all system vulnerabilities to their maximum advantage. This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions—physical destruction; electronic jamming; creating a “Denial of Service”—are concerns about weak control systems. From his perch at PlugInAmerica.org, Ron Freund worries that the existing supervisory control and data acquisition hardware is primate.

“It doesn’t handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the Internet, so is inaccessible (for the most part). In fact, it’s scary how primitive some of these systems still are,” Freund told me.

Protect your backend

Situated at the heart of EV infrastructure are stations connected to a central control unit, commonly referred to as “the backend.” This backend communicates over a wireless network using the same technology as a SIM card (in other words, it uses machine-to-machine communications). Stations collect sensitive data such as payment data, location data, and demographic data that might include email addresses and IP numbers. Since a mobile app or an RFID card is used to access the station, sensitive data is also collected on the apps, including location data and online behavior history.

According to Thomas Russell of the National Cybersecurity Center, “this data can be used to find patterns of daily routines and location data as well as private information.” Networked stations have obvious advantages for operators, who can monitor usage and reliability in real time, but being networked means being vulnerable.

According to Joe Marshall at Cisco Talos, “The most vulnerable elements of an electric vehicle charging station will usually be the EV management system (aka the EVCSMS). Vendors who own these stations need to stay connected with them over the Internet to process payments, perform maintenance, and make their services available to EVs.” Consequently, this can expose their stations to attackers who may seek to exploit that EVCSMS.

Marshall is distressed that EVCSMSes are “vulnerable in numerous ways.” Many are developed with poor security practices—from hard-coded (and thus stealable) credentials to poor security code development that lets attackers exploit management interfaces to compromise the system. He thinks that “this is not dissimilar from many modern IoT devices, like web cameras or home routers” that traditionally have poorly designed security. EV management system is incredibly similar to other IoT products and markets, as well.

The Critical Infrastructure Security Agency (CISA) is the US federal reporting agency responsible for security disclosures. CISA issued several security alerts on EVCS systems. There are many companies in the EVCS space, Marshall says, that, looking through that companies list, “it’s difficult to say who is aware of their security vulnerabilities, though certainly if there’s a Common Vulnerabilities and Exposures (CVE) issued, you’re aware that vulnerabilities are in your product.”

Looking at the full breadth of the problem, Marshall doesn’t seem to have much good news to offer.

“Outside of the known security alerts, there does not seem to be much additional security research occurring on EVCS or their management systems,” Marshall said. In his view, the prognosis going forward “is not great,” and he cites “a rush of companies [that] want to join the EVCS market as electric cars become more prominent on our roads. These companies typically make security an afterthought, if at all, in their products.”

Do we need a cybersecurity standard?

Read full article

Additionally, experts have warned that EV mandates actually threaten the U.S. grid and will increase (not decrease) the need for fossil fuels. U.S. grid operators have warned of the potential for blackouts if the switch to renewable energy isn’t slowed down.

EV concerns, risks, and warnings don’t stop there. EV batteries (including for E-Bikes) have been catching fire and exploding – sometimes while being charged – and that there have been recalls and investigations to address this issue too (see 1, 2, 3, 4, 5, 6, 7, 8). Last month Toyota recalled its EV SUV due to tire problems also.