As more drivers get behind the wheel of electric vehicles, researchers and cybersecurity experts are expressing concern over the security of the systems that people use to charge them.
Canada now boasts a network of more than 6,000 public electric vehicle charging stations, according to Natural Resources Canada, with more being announced almost daily.
Public charging stations consist of a charger that plugs into the electric vehicle and a computer system that accepts payments from the user, all of which is connected to the public electricity grid and the internet. If you are an EV driver, or are contemplating becoming one, these public stations are key to giving you full use of your vehicle by allowing battery fill-ups while away from home.
Concerns exist at several levels about the security of public charging. David Masson, the Toronto-based director of enterprise security at Darktrace, a cybersecurity software provider, says that if you think of your car as a computer, and you plug it into a charging station that’s connected to the internet, you’re opening it up to being hacked. “As soon as you plug anything into anything else in the cyberworld, the thing that’s just been plugged in can either hack, or be hacked, by something else,” he says.
Beyond the car and the charger, he says, the user and any networks their phone is connected to may also be at risk.
Mr. Masson says most hackers are in it for the money, and foresees two likely scenarios. First, hackers could hold your car ransom by taking control of its systems. This could be an extremely effective strategy when employed on EV drivers, he says, because if you are “in the middle of nowhere, guess what you are going to do? You’re going to pay the ransom.” Second, a fleet of EVs and charging stations could provide a fertile ground for cryptojacking, which uses hacked computers to mine for cryptocurrency. With EVs, “you get a ready supply of battery power, which is going to get charged up regularly, and computing power in the car,” he says.
Mitra Mirhassani, co-director of the Shield Automotive Cybersecurity Centre of Excellence and associate professor of electrical and computer engineering at the University of Windsor says that in addition to these threats, malicious actors or terrorists could also use hacked charging stations to misdirect public transit, and disrupt transportation by disabling charging stations.
She says a threat also comes from the potential for damage to the electricity network itself. If chargers can be hacked and controlled remotely, the built-in overrides that prevent them from overloading circuits can be breached, opening the possibility of damage to the power grid.
Concerns such as these were recently validated by Pen Test Partners, a British company specializing in penetration tests, or attempts to breach device and network security. Over an 18-month period that ended this summer, the company bought several different brands of electric vehicle chargers to try, and tested several provider networks.
Pen Test says its research found vulnerabilities that would allow for account hijacking, exposure of user data and the ability to control numerous chargers in sync to create power spikes in the electricity grid.
All of the companies involved were informed of the breaches and were able to rectify the security issues with their products. One of those companies was ChargePoint Holdings Inc., which has a public charging network in Canada and the United States as well as Europe. Pen Test Partners found a minor flaw in ChargePoint’s programming, which the company fixed within 24 hours of being informed it existed.
ChargePoint takes such challenges seriously. “We actively pursue people who are willing to do penetration testing and security testing, and if they find a vulnerability, they get paid for that, through our ‘bug bounty’ program,” said Eric Sidle, ChargePoint’s senior vice-president of engineering. “If you go out and you find something on our mobile app and you think you can try to break into it, and if there is an ability to find an issue, then we’ll work with you.”
Mr. Sidle says ChargePoint’s charging stations are designed with security in mind. He says the company takes measures such as ensuring that access ports are sealed behind the housing, and should they become exposed, operating systems are encrypted and secured with software that constantly scans for unplanned changes to the code that could signal an intrusion.
Ms. Mirhassani points out that weaknesses can be baked into chargers during the manufacturing process. She points to the supply chain shortages that are now endemic in manufacturing as potential chinks in the armour. “Hardware or software Trojans can be inserted during manufacturing without us knowing they are there,” she said. “With the supply chain shortage now, everyone buys whatever they can find in the market to make their systems and designs complete. Some of them are counterfeit, and they [can] bring cybersecurity flaws into these EV chargers.”
As an EV driver, there’s not a lot you can do to protect yourself beyond normal “cyberhygiene” measures to protect passwords and personal data, Ms. Mirhassani says.
Mr. Sidle agrees, adding that beyond such precautions, you have to choose the companies you deal with carefully. “Whether you go buy a laptop or anything connected to the cloud, anything that has payment services, you want to be mindful of who they are and how much they care about user privacy, user data and payments and everything else.”
Mr. Masson suggests that used vehicle buyers will need to start asking questions such as “when was this EV last virus checked?” – something that the industry is not yet prepared for.
But Ms. Mirhassani says the fundamental responsibility for data security lies with the industry. We “cannot expect the consumers to be worried every time when they want to charge their cars. It’s the automakers, the chargers, and everyone in between that should be responsible for securing it.”
Mr. Sidle points out that international standards for chargers and their networks are being developed along with standards to secure the cars themselves. But he agrees that the charging station providers must take control of their own security. ChargePoint, for example, is working to develop “an iron clad security capability to be able to transfer information from vehicle to cloud for personal privacy,” he adds.
Security is critical, Mr. Masson says. “We’re all aware of this as a problem now, so why don’t we deal with it now? You can’t wait before the problem actually happens.”
Up to now, cybersecurity solutions have been based on having “victims before you get solutions,” he says. But when you are talking about fast-moving vehicles and roads, “you can’t have victims before you have solutions. You need to employ technology – artificial intelligence – that spots the early sign that something has gone wrong, and you deal with it before the hack can actually happen.”