Reading Time: 3 minutes

EV charging infrastructure is growing with new charging stations coming up in new areas but is this secure enough? The electric charging systems you’re now encountering are outdated, poorly secured, and can someday be used to destabilize the entire electrical grid.

According to Sandia National Laboratory researchers have publicly disclosed vulnerabilities in EVSE equipment, and doing their own tests on 10 types of EV chargers with colleagues from Idaho National Lab.

Brian Wright, a cybersecurity expert at Sandia said “Can the grid be affected by electric vehicle charging equipment? Absolutely. It is within the realm of what bad guys could and would do in the next 10 to 15 years. That’s why we need to get ahead of the curve in solving these issues.”

There are plenty of ways criminals could be exploiting our networks right now. Sadly it’s a grab-bag of the same old problems we’ve seen in other tech sectors.

EV Charging Infrastructure is it Secure?

The researchers said in their paper, “There have been multiple demonstrations of stealing credentials or influencing charging sessions via the EV-to-EVSE connection.” In one case, they were able to interrupt charging by using a software-defined radio and less than 1W of power from 47 meters away.

RFID cloning is currently possible in early-generation EVSE infrastructure, which can result in thieves charging your card without you knowing it. Some iOS and Android apps used to manage charging sessions could also easily be reverse-engineered to reveal weaknesses in the EVSE management and vendor cloud interfaces, the researchers said.

Electrical vehicle chargers (EVSE) use web services that are easily vulnerable, so an attacker could access the charger through a local smartphone and computer. What’s worse is that these chargers accept firmware updates from manufacturers on the public internet. This leaves them at risk of being attacked themselves.

The Tencent Research Team used a Raspberry Pi-powered X-in-the-middle attack to score free power-ups for electric cars. For electric car chargers in the UK, the mandatory use of a secure boot is set to lapse by 2023.

Communications between chargers and cloud services suffer from a variety of problems. These include missing authentication, input fields not being sanitized, and the possibility of a supply chain attack due to manufacturers having a remote control.

One of the biggest challenges companies face when securing their hardware is preventing attacks. In this case, an attacker could upload malicious firmware to expose outdated Linux kernels running superfluous services accessible by an exposed USB port. Even worse, some chargers were found to be running off of platforms without secure bootloaders.

Our security audit revealed some worrying issues. Not only were there numerous hard-coded credentials and passwords, but our team also found some questionable cryptography.

We’ve learned over the last year that some of the EV charging companies have treated cybersecurity in the same way as the companies behind IoT devices: As an afterthought.

Jay Johnson, the Sandia engineer who led the project, hopes their findings will serve as a baseline for understanding today’s state of the industry. Getting it fixed is vital- especially given its current condition. He further explained, “By conducting this survey of electric vehicle charger vulnerabilities, we can learn what security improvements need to be made and recommend them to policymakers.”

“The government can say produce secure electric vehicle chargers, but budget-oriented companies don’t always choose the most cyber secure implementations,” Wright said. “Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices.”

Sandia’s recommendations for basic cyber hygiene are typical and include removing unneeded services, keeping software up to date, locking physical ports, and using proper encryption.

The firm also suggested implementing better methods of EV owner authentication, such as plug-and-charge public key infrastructure, as well as network intrusion detection systems and firmware updates from code-signed sources. These best practices are covered in its charging industry suggestions [PDF].

Johnson’s team isn’t done yet and has received follow-on funding to make some changes that were recommended by the Idaho and Pacific Northwest National Laboratories. They are working together to develop a system for EV chargers that will use new methods to protect public infrastructure from ne”er-do-wells.

Until we see some changes in the government, nothing will improve.

According to  Arnold, multiple EVSE manufacturers are struggling with high demand, “while regulations have been discussed, Johnson said it’s unlikely they’ll appear for at least a year.” Note that this applies in the US; the UK already has regulations on EV chargers that will take effect next year.

Vendors that have improved their security often get a market disadvantage against those companies that are in favor of rushing products to market. Johnson added, “Until there’s the regulation to level the playing field, market trends will favor the insecure systems.” 

Related Articles:
European Police Nabs Hacker Gang That Used Wireless Key Fobs to Steal Cars
Online Romance Scams Lord Behind Bars for 25 Years
Pegasus Spyware Latest Victims-Mexican Journalists And Human Rights Activists