Hackers Are Starting to Target EV Charging Stations

Earlier this year, charging stations on the Isle of Wight in England displayed pornography on their screens. Others, on a freeway near Moscow, reportedly displayed a vulgar insult aimed at Russian President Vladimir Putin in protest of the invasion of Ukraine.These incidents recently reported by the BBC are not isolated.

Vehicles are becoming increasingly connected, making them more vulnerable to hackers. The various automotive features are typically run through smartphone apps, which means that vehicles are also connected to the daily lives of their users.

• Also: VinFast Customers to Get Free Charging, Home Charger
• Also: Electrify Canada Will Offer Free Vehicle Charging on Earth Day

In the case of electric vehicles, another cyber risk factor arises: they must be connected to charging stations for long periods of time. We’ve seen reports of Teslas getting hacked, unlocked and even disabled by hackers who were located thousands of miles from their prey. 

According to a recent study by Upstream Security, an Israeli provider of automotive cybersecurity platforms, EV charging stations are also growingly becoming enticing targets for hackers.

While attacks will be more and more common as charging networks grow, money could be become the main motivation behind these attacks. Hackers can target chargers to avoid paying charging fees, or even for ransom, locking users out of charging until they pay money.

"Cybercriminals can make money off of this now," says Yoav Levy, CEO of Upstream Security. "They want to make money in the easiest way they can. If they need to physically connect to vehicles, that can be difficult. But if they can find ways to hack remotely, this is how they can build scale."

What Are the Risks For Users?

As far as ransoms go, according to Upstream, the risks to consumers aren’t as big as those for fleets and corporations, for the moment.

"Is a consumer going to pay ransomware to release their charging station at home? I don't think so," he said. "But if you have a fleet, or if this is your business, then you face a bigger risk.

On one hand, charging stations are connected to local electrical grids, which could make them complete infrastructures vulnerable – not only charging stations. But they are also connected to individual vehicles, which also makes personal information stored within that vehicle vulnerable.

At the Circuit Électrique, Hydro-Québec's own charging station network, engineers are well aware of the situation and measures are being taken to counter attacks and protect users. "We are very sensitive to cyber security issues. These risks are managed proactively and integrated into several stages of our operations," explains Jonathan Côté, strategic advisor, corporate communications, public affairs and media at Hydro-Québec.

Canadian Universities Are Getting Involved

In a paper published in the journal Computers & Security, a team of researchers led by the University of Concordia in Montreal, Quebec studied the vulnerabilities in some the most popular EV charging stations.

The group at Concordia’s Gina Cody School of Engineering and Computer Science’s Security Research Centre evaluated 16 different EV charging station management systems (EVCSMS) and discovered vulnerabilities to manipulation and potential malware infection that could affect users, the stations themselves and even the power grid they are connected to.

This is what we call “white hat hacking”, which is conducted by researchers in order to find weak spots in infrastructures.

The experience showed that hackers could do things like turn the charging process ON or OFF, deploy malware targeting user data privacy, control multiple charging stations and use them to engage in denial-of-service attacks against other connected devices and could even potentially overload or underload the power grid if enough stations are being attacked at the same time.

 “We have noticed that the attack surface — in this case, the number of EVs, charging stations and thus management systems — is growing,” says Tony Nasr, the paper’s lead author. “And the more this attack surface grows, the more potential there is for widescale cyberattacks to exploit and leverage them to conduct malicious activities.”

For its part, Hydro-Québec and Le Circuit Électrique say that prevention begins with their suppliers. "As soon as the selection process for charging station suppliers starts, it is indicated that all suppliers must put protocols in place to monitor, detect and repel any cyberattack threat," says Jonathan Côté.

In addition, Hydro-Québec says it is working in partnership with Concordia University to address problems before they happen. "We have begun a project with Concordia researchers to detect potential flaws in order to improve the security of our network. We will be able to benefit from their expertise in this field and improve the security of our network. Some of the researchers who co-authored the article referred here are working with us on this project," concludes Jonathan Côté.

The rapid growth in demand for chargers and electric vehicles is pushing manufacturers to focus on production to keep up with the competition, while investing less time and effort in security analysis and evaluation, according to the paper.

With the considerable amount of funding allocated in the 2022 federal budget to build and support ZEV charging stations, it will become growingly important for automakers and charging providers to establish and maintain secure connections between chargers and vehicles in order to avoid threats.