Electric vehicle (EV) chargers are riddled with vulnerabilities that could expose confidential data, compromise Wi-Fi networks, and, in the worst-case scenario, bring down electrical grids.
Charging stations are connected through a complete ecosystem of platforms such as smartphone applications, cloud services, and internet networks. Connectivity has intertwined everything, so a cybersecurity error would wreak havoc.
To cite just one example, hackers can remotely connect to a charger and install malware.
This opens the door for an attacker to overheat an EV’s battery or even take control of an entire vehicle. However, it’s the cumulative impact of these types of attacks that causes the most harm.
The electrical grid is designed to operate in a relatively stable state, and a significant problem arises if there’s a huge increase in demand or a major drop.
Any situation could be caused by a coordinated group of electric vehicles suddenly “charging or not charging.”
The act of hacking is so swift that it took researchers at Pen Test Partners – a cybersecurity research company based in the UK – less than ten minutes to hack a domestic charger.
They opened it with a tool, removed one of the hardware chips, and extracted the user’s personal data.
“We’ve created attacks that could be used to turn on thousands and thousands of EV batteries simultaneously, which could cause energy spikes in the network and blackouts,” cybersecurity experts argue.
What are the common flaws detected in an electric vehicle charger that leave it vulnerable to hacking? The analysis by experts at Pen Test Partners.
Hardware issues with an electric vehicle charger
Researchers at Pen Test Partners discovered that a domestic charger had two security flaws.
The first – as mentioned earlier – is related to hardware.
The likelihood of someone being outside your home to hack a charger is low, but the consequences can be severe because they gain highly sensitive and personal information.
Not only can they access the owner’s Wi-Fi keys, but they can also intercept passwords and potentially steal banking credentials.
The second flaw they detected was in the processor, which ran on a hardware platform called Raspberry Pi Compute Module 3.
“Raspberry Pis are great for education and prototyping, but they’re not really suitable for a commercial product like this,” they explain.
Pen Test Partners found that the charger did not properly verify who the user was when controlled by its smartphone application.
And, as a result, this meant they could connect to anyone’s charger and tell it, for example, what to turn off and what to turn on.
Design issues with an electric vehicle charger
Sometimes the security flaws in an EV charger are related to design problems, as is the case with Project EV.
“We opened the charger, and there was obviously a lot of charging technology there, but what concerned us was that all we needed to access was the serial number on the side of the device,” cybersecurity experts point out.
That serial number acted as a credential to access the software, allowing anything from hijacking user accounts to preventing charging.
Project EV stated that they fixed the flaw by updating the software.
“Individual users must take personal responsibility for updating their applications to ensure they have the latest security protocols for their product,” the company said in a statement.
RECOMMENDATION: Consumers should make sure to choose a strong and secure password that they don’t use anywhere else.
