Are Electric Vehicle charging infrastructures ready to face cyberattacks?

Are Electric Vehicle charging infrastructures ready to face cyberattacks ?

Are we safe ?

With the rise in popularity of electric vehicles, charging stations play a crucial role in the transition to cleaner, more sustainable transportation. However, charging stations are not free of cybersecurity risks. Indeed, due to their connectivity, they can be the target of cyber attacks.

Attacks on EVCS (Electric Vehicle Charging Station) are of various kinds, ranging from attacks on home charging stations, to public charging stations, to charging station management networks.

Attacks on home charging stations

Home charging stations for electric and plug-in hybrid vehicles offer an increased level of convenience for the user, but the ability to control charging remotely can create vulnerabilities. For example, malicious people can take control of home charging stations to prevent an electric vehicle from charging or to push the charging power to the maximum, potentially damaging the home’s electrical system. To avoid these risks, it is recommended to regularly update the software that drives the home charging station, not to use a default password, and to separate the network on which the charging station is located from the network used for web access for computers, tablets and other personal communication devices.

Attacks on public charging stations

For public charging stations, hackers can easily duplicate a user access badge or abuse the Open Charge Point Protocol (OCPP), which is used for data exchange between billing management systems and the charging point. In addition, the often easily accessible USB ports on charging stations can be used to collect data or modify the station’s driver by replacing it with custom firmware. In 2018, researchers at Kaspersky Lab found that many charging stations were still using the 2012 version of the OCPP protocol, making it easier for hackers to attack. Data collected from public charging stations can include the login and password for the OCPP server as well as credentials from previous users.

Attacks on users

Attacks on users are also a major cybersecurity concern for electric vehicle charging stations. Hackers can intercept communications to access sensitive data such as user credentials, credit card numbers and other personal data by using existing vulnerabilities. Various vulnerabilities have been identified in some models of charging stations such as : 

  • XSS (Cross Site Scripting) injections that can allow user account theft.
  • SQL injections or the presence of hardcoded credentials that could allow the total takeover of the charging station.
  • Information Disclosure that can give any kind of information to an attacker

To avoid these risks, manufacturers must ensure the security of their charging stations on an ongoing basis, implement security patches or monitor the charging stations. Users should ensure that strong passwords are in place to protect their data. Users should also use secure payment methods such as Paylib or “e-Carte Bleue” if you want to use your credit card, make sure to use the 3D Secure authentication system.

Attacks on power grid infrastructure

Finally, attacks on power grid infrastructure are also a significant risk to electric vehicle charging stations. Indeed, with enough rights and charging stations compromised, it is possible to carry out a frequency instability attack scenario against the power grid, causing the demand for electricity to suddenly fluctuate. Cybercriminals can target power grid infrastructure to disrupt the availability of electrical power, which can impact not only electric vehicle charging but also nearby buildings. This type of cyber attack requires serious resources and is not for the average person.

Also, attacks against electric charging stations can take different forms, such as distributed denial of service (DDoS) attacks, ransomware attacks or Advanced Persistent Threat (APT) attacks.

DDoS attacks involve flooding a server or network infrastructure with malicious request traffic, with the goal of making it unavailable. Ransomware attacks, on the other hand, involve encrypting corporate data or charging stations infrastructures and then demanding a ransom for the decryption key. APT attacks, on the other hand, are more sophisticated and targeted attacks that can take months or even years to plan and execute.

In conclusion, attacks against electric vehicle charging stations are a real threat that requires serious consideration by manufacturers, charging station managers, and users. Implementing robust security measures, as well as educating users about security risks, are important steps in minimizing the risk of cyberattacks and ensuring the availability and security of electric vehicle charging stations. However, the bulk of the effort falls on the industry, which will need to pay close attention to cybersecurity in order to move toward threat-mitigating technology. In this perspective, it is possible to map the company’s information system in order to set up an incident response plan and monitor its information system. For future developments, the implementation of security integration in projects allows to reduce the number of future vulnerabilities, for the end of the development or for projects already in production, the realization of regular penetration tests generally allows to identify the vulnerabilities before facing a disaster.

If you found this article interesting, we can suggest that you read this one:

Tips for penetration testing

nathan machet
Nathan Machet
Cybersecurity consultant