Such cracks could potentially give hackers access to vehicle data or consumer credit card information, says Ken Munro, co-founder of Pen Test Partners. But perhaps the most worrying weakness for him was that, as with Concordia’s testing, his team found many devices allowed hackers to stop or start charging at will. This could leave frustrated drivers without a full battery when they need it, but it’s the cumulative impacts that could be truly devastating.
“It’s not about your charger, it’s about everyone’s charger at the same time,” he says. Many home users leave their cars connected to chargers even though they are not using power. They can, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower. If a hacker were to turn thousands or even millions of chargers on or off simultaneously, he could destabilize and even bring down entire power grids.
“We have inadvertently created a weapon that nation states can use against our power grid,” Munro says. The United States glimpsed what such an attack might look like in 2021 when hackers hijacked Colonial Pipeline and cut off gas supplies nationwide. The attack ended after the company paid millions of dollars in ransom.
Munro’s main recommendation for consumers is not to connect their home chargers to the internet, which should prevent most vulnerabilities from being exploited. Most of the warranties, however, must come from the manufacturers.
“It’s the responsibility of the companies offering these services to make sure they’re secure,” says Jacob Hoffman-Andrews, senior technologist at the Electronic Frontier Foundation, a digital rights nonprofit. “To some degree, you have to trust the device you’re connecting to.”
Electrify America declined an interview request. Regarding the issues documented by Malcolm and the Kilowatts, spokesperson Octavio Navarro wrote in an email that the incidents were isolated and fixes were quickly rolled out. In a statement, the company said, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and is focused on designing stations and networks that mitigate risk.”
Pen Test Partners wrote in its findings that the companies were generally responsive in patching identified vulnerabilities, with ChargePoint and others filling the gaps in less than 24 hours (although one company created a new hole trying to correct the old one). Project EV did not respond to Pen Test Partners, but eventually implemented “strong authentication and authorization.” Experts, however, say it’s high time for the industry to move beyond this baffling approach to cybersecurity.
“Everyone knows it’s a problem and a lot of people are trying to figure out the best way to fix it,” Johnson says, adding that he’s seen progress. For example, many public charging stations have switched to more secure data transmission methods. But when it comes to a coordinated set of standards, he says, “there’s not a lot of regulation out there.”
There has been a certain tendency to change this. The bipartisan Infrastructure Act of 2021 included some $7.5 billion to expand the electric vehicle charging network across the United States, and the Biden administration has made cybersecurity part of this initiative. Last fall, the White House brought together manufacturers and policymakers to discuss a way forward to ensure that increasingly vital charging equipment for electric vehicles is properly protected.
“Our critical infrastructure needs to achieve a baseline level of security and resiliency,” says Harry Krejsa, chief strategist in the White House Office of the National Director of Cybersecurity. He also argued that enhancing EV cybersecurity is as much about building trust as it is about mitigating risk. Secure systems, he says, “give us the confidence in our next-generation digital foundations to aim higher than we otherwise might have.”