The Cybersecurity Achilles Heel of EV Chargers


September 9th is the World Electric Vehicle Day for raising awareness about electric vehicles in a push to create better sustainability programs and public policy. With nation-states and manufacturers setting ambitious green energy goals, reliant on the mass rollout of Electric Vehicle (EV) charging stations to support sustainable mobility, the vulnerability of these endpoints must be part of the conversation.

 A soaring demand for EVs and EV charging Infrastructure

As oil prices soar and governments striving to reduce global warming, more and more drivers are considering switching to an electric vehicle (EV). According to Ernst & Young’s 2022 Mobility Consumer Index, 63% of car buyers surveyed worldwide intend to buy an electric or hybrid model car during the next 12 months, with environmental concern as the top motivator. This massive electric vehicle growth must be supported by a widespread charging infrastructure.

According to the European EV Charging Infrastructure Masterplan, up to 6.8m public charging points are required by 2030. This implies that up to 14,000 public charging points need to be installed on a weekly basis until 2030, adding up to a total amount of up to €280bn that will need to be invested in installing public and private charging points, upgrading the power grid, and building capacity for renewable energy production.

But Electric Vehicle Charge Points are Vulnerable

In 2021, a cybersecurity company from the U.K. called Pen Test Partners identified over a half-dozen vulnerabilities in private-use EV chargers and one public-use charger. In addition to giving hackers the ability to affect the charger’s operations, some of the flaws discovered could even have been used to gain backdoor access into an owner’s own home network. 2021 research published by Tony Nasser also found seven 7 vulnerabilities affecting Schneider Electric’s EVlink chargers’ product line. Other experts have issued warnings, including the Critical Infrastructure Security Agency (CISA), the US federal reporting agency responsible for security disclosures. CISA issued several security alerts over the past four years on EV systems including exploitations on EV charging stations that are exploitable remotely and with low level of skill needed.

For individual consumers contemplating buying an EV, this is obviously disconcerting. The risks with public charging stations are potentially even scarier however, as those chargers are connected to the internet and the public power grid. A hacker who breached a swath of connected EV chargers could conceivably turn them all on at once, spiking power demand and potentially crashing sections of the local power grid unequipped to deal with large, unscheduled swings in usage.

One obvious reason why EV charging stations both public and private are eminently hackable is that in most cases they are physically accessible to bad actors. The data collected by the EV charging station, if compromised, can also be used to find patterns of daily routines and location data as well as private information of the user.

Attack persistency: A gateway to EV chargers apocalypse   

Existing approaches focus on preventing attacks. For this to succeed, the device operator must always remain at least one step ahead of the adversaries. As demonstrated by Pen Test Partners, and in numerous other real-world occasions, it’s not achievable to stay ahead of the threats. True device level protection requires prevention of persistency within the device. Persistent attack scenarios (typically called Advanced Persistent Threat – APT) are one of the biggest cyberthreats and experts’ concern nowadays. Persistent attacks attempt to gain unauthorized persistent presence inside a device, allowing the attacker to cause greater damage over a longer period of time. Once the attack is persistent, a restart operation will not be able get rid of the malicious code ingrained in the device.  There are many ways in which APT attacks typically manifest themselves. This includes fraud and theft, ransomware, state-level attacks to critical infrastructure, personal data theft, and Distributed Denial of Service (DDoS) and more.

IIOT Security Approaches

EV chargers must avoid persistent changes to their critical code and configuration data in all circumstances. While adversaries may be able to access the processor on any EV charger, their actions can be nullified through a restart operation. However, in the event that they are able to access the device’s Non-Volatile Memory, where critical code and data reside, they can take control of the device and the operator’s ability to operate the device may be denied.

Next Steps to Ensuring EV Charging Unit Security

As EVs and the associated infrastructure become more and more critical to our mobility plans and energy supply it is necessary to ensure that the worst-case scenario is eliminated. Without an on-device protection, blocking all attempts to modify any change to the critical code and configuration data, the EV charge points will retain an inherent and possibly fatal vulnerability. The importance of preventing misuse or tempering with the mentioned critical information is for the benefit of the general public privacy and the operator’s business continuity.

More should be done to let consumers and legislators know about the dangers presented by vulnerable EV charging stations. Manufacturers are unlikely to act on their own unless they feel economic or regulatory pressure, so raising awareness should become a priority. As that happens, an enforceable security standard for EV charging stations needs to be created to enforce and manufacturers must adhere to it. This standard should cover all aspects of device-level security because while it will be nearly impossible to prevent attacks on stations from happening given their physical location, it is possible to ensure these attacks are unsuccessful in gaining persistency.

The lofty green energy goals will not be met if the necessary infrastructure is left vulnerable, so if we are to take clean energy seriously, we must take the security implications seriously, too.

Want to learn more about EV Chargers protection? schedule a demo or contact us

Author: David Stroud, NanoLock’s GM Europe and APAC