The unexpected security threats posed by EV charging stations

Research demonstrates that EV charging stations can be a conduit for DDoS attacks, ransomware, theft of ID, and could jeopardize the security of the power grid.
12 August 2021

Even EV charging stations are not free from security flaws. (Photo by Frederic J. BROWN / AFP)

  • A cybersecurity company has identified several vulnerabilities in 6 home electric vehicle charging brands and a large public EV charging network
  • Vulnerabilities were identified in varied EV charging brands
  • Hacks to charging stations have become a particularly nefarious threat as a greater share of transportation becomes electrified

The number of electric cars on the world’s roads has surpassed 10 million, with roughly another million electric vans, heavy trucks and buses on the road, according to the International Energy Agency’s Global Electric Vehicle (EV) Outlook 2021. Complementing the rise would inevitably be the rapid development of EV infrastructure such as charging stations.

There are already over a million public EV charging plugs globally, as per BloombergNEF’s data and the demand shows no sign of abating. But while the security of EVs receives plenty of attention, the issue of securing EV charging stations is less well-known. This is even though EV chargers face numerous security threats that could have serious consequences.

What are the security risks of EV charging stations?

In a report published recently by UK cybersecurity firm Pen Test Partners, several vulnerabilities were identified in six home electric vehicle charging brands and a large public EV charging network. Although the charger manufacturers resolved most of the issues, the findings are the latest example of the unevenly regulated world of Internet of Things (IoT) devices, which are poised to become all but ubiquitous in our homes, workplaces, and vehicles.

The author of the report, Vangelis Stykas, said there were vulnerabilities detected in five different EV charging brands including Project EV, Wallbox, EVBox, EO Charging’s EO Hub and EO mini pro 2, and Hypervolt — not to mention public charging network Chargepoint. Stykas identified several security flaws among the various brands that could have allowed a malicious hacker to hijack user accounts, impede charging, and even turn one of the chargers into a “backdoor” into the owner’s home network.

What are the consequences?

The report indicated that the consequences of a hack to a public charging station network could include theft of electricity at the expense of driver accounts and manipulating chargers by turning them on or off. Besides that, given how several EV charger platforms had API authorization issues, it allows for account takeover and remote access of all chargers. 

One platform had no API authorization at all, and by knowing a short, predictable device ID, could lead to full remote control of the charger. “The same charger had no firmware signing, thus allowing new f/w to be pushed remotely and the charger used as a pivot onto the home network,” he added.

Some EV chargers like Wallbox and Hypervolt, according to Stykas, used a Raspberry Pi compute module, a low-cost computer that’s often used by hobbyists and programmers. He said the module could allow easy extraction of all stored data, including credentials and the Wi-Fi pre-shared key, or PSK. “As one could potentially switch all chargers on and off synchronously, there is potential to cause stability problems for the power grid, owing to the large swings in power demand as reserve capacity struggles to maintain grid frequency,” he noted.

Although all API and hardware vulnerabilities that were successfully disclosed to the vendors involved were remediated, apparently the Raspberry Pi hardware issues remain. However the risk of compromise seems low, given the need for physical access to the charger, the report highlighted. 

Stykas concluded that there has clearly been a distinct lack of security assurance in the smart EV charger space. “There’s something of an EV ‘gold rush’ going on as homes equip themselves with chargers and the public charging infrastructure offers more and more powerful charging. Basic API security has been missing, as has some basic secure hardware choice. Manufacturers have exposed users to fraud and/or prevented their cars from charging. They’ve also unintentionally created a method for others to destabilize our power grid.”