The growing popularity of electric vehicles (EVs) is not only a favorite among gas-conscious consumers, but also cybercriminals who focus on using EV charging stations to launch far-reaching attacks. That’s because every charging point, whether inside a private garage or a public car park, is online and runs a variety of software that interacts with payment systems and the electricity grid, as well as storing drivers’ identities. In other words, they are a sinkhole of Internet of Things (IoT) software.
“As electric vehicle charging becomes more widespread, they will become attractive targets for more sophisticated hacker groups,” says Hooman Shahidi, CEO of EVPassport, a charging network provider. “Vendors must view their products as critical infrastructure and a critical component of our national security.” There are 2.5 million electric vehicles on the road in the United Statesand more than half of them require plug-in chargers. Recognizing their popularity, in 2022, the UK-mandated charging stations will be built in all new residential builds.
Charging stations face significant cybersecurity risks. “Issues include unsecured internet connectivity, insufficient authentication and encryption, lack of network segmentation, unmanaged energy resources, and more,” he wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could, for example, damage the power grid or lead to the theft of customer data. “Chargers have personal and payment information and run a variety of protocols that are typically not recognized by traditional firewalls,” says Check Point Software’s Aaron Rose, who works in the CTO’s office.
The early stages of cyberattacks on charging stations began a few years ago, when one The Russian station was attacked in February 2022 in response to the war in Ukraine and three more were compromised in the UK in April 2022. Both situations were other cyber pranks that displayed vulgar messages on the units’ screens. Shell patched a vulnerability last year into a database that could have exposed millions of charge records from all over its charging network for electric vehicles.
New vulnerabilities continue to plague charging stations. Two of these could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. According to their research, the exploits exploit weak authentication routines between the different software modules used in the stations. Lists of Enel X Way charging station suppliers a variety of other data compromises involving vehicle identification numbers, as well as exploits that could gain remote access to vehicle controls.
Elias Bou-Harb is a computer scientist at Louisiana State University safety of charging stations studied for some time. He found that nearly all charging products have major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. “What is particularly alarming is that some well-known security measures have not been implemented by most vendors, and that few of them have taken steps to improve their security even after identifying these weaknesses.”
IoT devices remain attractive targets
Of course, threats from charging stations aren’t the only IoT devices that present targets of opportunity for cyber attackers. And the stations are just one of many IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice, and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Since then, data from the US Federal Communications Commission (FCC) has increased.
But charging stations represent a complex – and therefore very rich and potentially exploitable – combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point’s Rose says that “chargers have similar risk profiles but present a different attack surface than other smart devices.”
This means that chargers run management software tools “between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication and delivered energy,” says Bou- Harb. “And on top of this complexity, this is also being implemented by cloud charging providers.” Her research found that some of the software operated by these stations has been exploited for years “and that the vendors still haven’t realized they’ve been compromised, let alone fixed the problems.”
The Enel X Way blog post lists a comprehensive list eight-point framework for charging stations which covers identity access, risk management, emergency response and other factors.
In the sights of regulators
Both the United States and Europe are taking regulatory measures to try to rein in charging stations, both public and private. In the UK, an anti-tampering law relating to home charging stations has been in place since 2022. This resulted Security improvements from several vendors, as recently reported. Wallbox, a charging station supplier, has added additional safety measures to its equipment to comply with these regulations, while other suppliers have abandoned European markets rather than improve their products.
The EU has internally proposed new cybersecurity measures for electricity grid operators and IoT providers NIS Directive2 last year which goes into effect in October. It includes stricter breach reporting requirements and imposes higher fines, among other things.
Another proposal is for the charging station industry to self-certify its devices, as Underwriters Laboratories does for various electronic devices. European automotive safety supplier Dekra proposed a certification program for public charging stations which he claims is an absolute first in the sector. It offers three different levels ranging from providing basic security services to penetration testing of equipment.
The United States is lagging behind in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Nicknamed the IT Trust Seal, would be administered by the FCC, building on work developed by the National Institute of Standards and Technology. “The Cyber Trust Mark is a great idea,” says Check Point’s Rose. “But execution will be key. The brand must be updated and based on continuous testing of devices.”
Last year, so did the National Institute of Standards and Technology (NIST). proposed a series of recommendations for public charging stations to improve your IT security. However, a key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. “The guidelines for charging stations are a positive development,” said Ravi Lingarkar, vice president of product management at Akitra. he wrote on LinkedIn. “Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It’s like allowing anyone to bring their own device into the network. Given the rapid expansion of EV charging infrastructure, the Cybersecurity is at the forefront of many potential problems.”
However, these efforts are early and incomplete. “Government regulations came too late,” says Bou-Harb. “The market is already saturated with various charging products. These vendors don’t really care about the security of their devices, which is often more of an afterthought. It’s time for charging vendors to band together, admit there is a problem and start working on solutions and sharing threat data.”
One potential obstacle is that electric vehicle chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy and Homeland Security. Getting everyone to work cooperatively won’t be easy. “No one takes leadership,” Bou-Harb says.
“A simple step the government could take now would be to require the suspension of SOC2 for EV charging providers. We need to raise the bar,” says EVPassport’s Shahidi. The SOC2 standard focuses on security and privacy controls, among other elements.