EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities
As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.
The increasing popularity of electric vehicles (EVs) isn't just a favorite for gas-conscious consumers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks. This is because every charging point, whether inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.
"As EV charging becomes more widespread, they will become appealing targets to more sophisticated hacking groups," says Hooman Shahidi, the CEO of EVPassport, a charging network provider. "Providers need to think of their products as critical infrastructure and a critical component of our national security." There are 2.5 million electric vehicles operating in the US, and more than half of them require plug-in chargers. Acknowledging their popularity, back in 2022, the UK mandated charging stations be built in all new residential construction.
Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO.
The early stages of cyberattacks on charging stations began a few years ago, when one Russian station was attacked in February 2022 in response to the Ukraine war and three more were compromised in the United Kingdom in April 2022. Both situations were more cyber pranks that displayed rude messages on the screens of the units. Shell patched a vulnerability last year in one database that could have exposed millions of charging logs from across its EV charging network.
New vulnerabilities continue to plague charging stations. Two of them could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. The exploits take advantage of weak authentication routines among the various software modules that are used in the stations, according to their research. Charging station vendor Enel X Way lists a variety of other data compromises involving vehicle ID numbers, as well as exploits that could gain remote access to the vehicle controls.
Elias Bou-Harb is a computer scientist with the Louisiana State University who has long studied charging station security. He has found almost every charging product has major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. "What is particularly alarming is that some well-known protective measures haven't been implemented by most of the vendors, and that few of them have taken steps to improve their security even after we identified these weaknesses."
IoT Devices Remain Attractive Targets
Certainly, threats from charging stations aren't the only IoT devices that are targets of opportunity for cyberattackers. And the stations are just one of a multitude of IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Data from the US Federal Communications Commission (FCC) increased since then.
But the charging stations do represent a complex — and therefore very rich and potentially exploitable — combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point's Rose says that "chargers have similar risk profiles but present a different attack surface to other smart devices."
What this means is that the chargers run management software tools "in between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication, and supplied power," Bou-Harb says. "And adding to this complexity, all of this is also deployed by the charging vendors in the cloud." His research has found that some of the software run by these stations has been exploited for years, "and that vendors haven't yet realized they have been compromised, let alone fixed the problems."
Enel X Way's blog post lists a comprehensive eight-point framework for charging stations that covers identity access, risk management, emergency response, and other factors.
In Regulators' Crosshairs
Both the US and Europe are making regulatory steps to try to rein in charging stations, both public and private. The UK has had an anti-tampering law in effect since 2022 relevant to the home-based charging stations. This resulted in security improvements from several vendors, as recently reported. Wallbox, a charging station vendor, added extra security safeguards to its equipment to comply with these regulations, while other vendors have dropped out of European markets rather than improve their products.
The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive last year that will take effect in October. It includes stricter breach reporting requirements and levies higher fines, among other items.
Another proposal is to have the charging station industry self-certify their devices, like what Underwriters Laboratories does for various electronics. European automotive safety vendor Dekra proposed a public charging station certification program that it claims is an industry first. It offers three different levels that range from providing basic security services to penetration testing of the equipment.
The US is lagging in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Dubbed the Cyber Trust Mark, it would be administered by the FCC, based on work developed by the National Institute of Standards and Technology. "The Cyber Trust Mark is a great idea," Check Point's Rose says. "But execution is going to be key. The mark must be updated and based on doing continuous testing of devices."
Last year, the National Institute of Standards and Technology (NIST) also proposed a series of recommendations for public charging stations to improve their cybersecurity. However, one key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. "The charging stations' guidelines are a positive development," Ravi Lingarkar, vice president of product management at Akitra, wrote on LinkedIn. "Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It's like enabling anyone to bring their own device to the grid. Given the rapid expansion of the EV charging infrastructure, cybersecurity is at the forefront of many potential problems."
Still, these efforts are early and incomplete. "The government regulations have come too late," Bou-Harb says. "The market is already saturated with various charging products. These vendors don't really care about the security of their devices, which is often more of an afterthought. It's time for the charging vendors to come together, admit there is a problem, and start working on solutions and sharing threat data."
One potential roadblock is that EV chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy, and Homeland Security. Getting them all to work cooperatively isn't going to be easy. "No one is taking leadership," Bou-Harb says.
"A simple step that the government could take now would be to require SOC2 pending for EV charging providers. We need to raise the bar," EVPassport's Shahidi says. The SOC2 standard focuses on security controls and privacy, among other items.
About the Author
You May Also Like