Yes, Your Electric Vehicle Could Be Hacked

EV charging brings multiple security and privacy risks

3 min read
Nighttime photo of a woman looking at her phone as her electric vehicle charges.
iStock

This article is part of our exclusive IEEE Journal Watch series in partnership with IEEE Xplore.

In a world with ever-growing security and privacy concerns, add another item to the list of vulnerabilities: electric vehicle (EV) charging.

Marco De Vincenzi, a researcher at the Istituto di Informatica e Telematica (IIT) in Pisa, Italy, is trying to bring attention to this issue. He and his colleagues led a discussion on EV security and privacy vulnerabilities at the 2023 IEEE 97th Vehicular Technology Conference. The results of their presentation are highlighted in a subsequent conference paper.

De Vincenzi notes that when people plug their EVs into charging stations, it’s not just power flowing through those cables. “These charging stations handle all sorts of data, from how you pay to your exact location,” he explains. “But here’s the kicker: The rules to keep this info secure? They’re like a door with no lock.”

When and How Are EVs Vulnerable to Hacking?

Imagine, for example, if an ill-intended attacker installed malicious software at public charging stations. They could theoretically get lots of information from your car, including your car’s ID, how you pay, and how much battery power is left. In particularly worrisome situations, they could use the connection between the charging station and the car as an entry point to access your car’s internal software system and meddle with it. “This puts the owner’s vehicle at risk of unauthorized access and control,” says De Vincenzi.

Although it makes sense for attackers to focus their efforts on public charging stations, where they could reach many people, private charging stations in people’s homes could allow attackers to access more personal information. With the right kind of attack, hackers could use the private charging station to access the owner’s home systems.

But De Vincenzi cautions that the impacts of malicious attacks on EV security can extend beyond individuals. “EV charging stations are often linked to the broader energy grid, forming a connection that, if not properly secured, can become a gateway for trouble,” he explains.

For instance, if a skilled hacker were to successfully breach both the grid’s energy management system—which oversees energy distribution within entities like microgrids—and a charging station, the entire grid could be compromised. “Theoretically, this would grant the attacker the ability to access the system, read users’ information, extract energy without proper authorization, and undermine the payment infrastructure,” says De Vincenzi.

While these scenarios may seem unlikely, earlier this year one person proved that it’s possible to hack a charging station, when a bug in an Electrify America charger allowed him to gain nearly unlimited access to the charger’s internal system.

Conductive Charging vs. Inductive Charging vs. Battery Swapping

Not all charging methods are equally vulnerable to attacks. There are three main ways to charge an EV. Conductive charging involves a direct cable with AC or DC current. Inductive charging is essentially wireless charging, using electromagnetic waves. And then there’s battery swapping, where a used battery is exchanged for a fresh, fully charged one.

Among these three options, conductive charging is the most vulnerable to malicious attacks, because it has the weaknesses of the communication protocols and applied standards. In the case of wireless charging, some security protocols are already in place as the battery establishes its wireless connection to a charging station.

Ilaria Matteucci, a researcher at IIT who was also involved in the study, points to another factor that influences security and privacy: the time it takes to charge a battery. More charging time means more opportunity to launch an attack. DC charging is considered the fastest between the conductive and inductive methods—but nothing beats a quick battery swap.

Creating a More Secure Connection

When it comes to creating a more secure charging environment, one solution would kill a lot of birds with one stone: ensuring confidentiality when establishing connections between cars and charging stations.

The importance of protecting confidentiality has been highlighted as a key guideline by the U.N. Regulation No. 155 on cybersecurity. But De Vincenzi, Matteucci, and their colleagues emphasize the need to lay out practical ways in which regulatory entities and industry stakeholders can actually achieve this goal when it comes to EVs.

“Incorporating more tangible approaches is key,” says Matteucci. “This could encompass developing standardized protocols that protect sensitive data during charging, devising mechanisms to detect and prevent unauthorized access, and establishing clear frameworks for secure communication between EVs and charging stations.”

Moving forward, the research team at IIT will be conducting simulations of EV charging stations in order to uncover potential vulnerabilities. “Our plan involves attempting to breach the EV charging station security, either by gaining access to the vehicle’s network through [security compromises] or utilizing a compromised vehicle network to infiltrate the EV charging stations,” says Matteucci.

The Conversation (0)