This story was co-published with Grist, a nonprofit media organization covering climate, justice, and solutions.
With his electric Kia EV6 running low on power, Sky Malcolm pulled into a bank of fast-chargers near Terre Haute, Indiana, to plug in. As his car powered up, he peeked at nearby chargers. One in particular stood out.
Instead of the businesslike welcome screen displayed on the other Electrify America units, this one featured a picture of President Biden pointing his finger, with an “I did that!” caption. It was the same meme the president’s critics started slapping on gas pumps as prices soared last year, cloned 20 times across the screen.
“It was, unfortunately, not terribly surprising,” Malcolm says of the hack, which he stumbled upon last fall. Such shenanigans are increasingly common. At the beginning of the war in Ukraine, hackers tweaked charging stations along the Moscow-Saint Petersburg motorway in Russia to greet users with anti-Putin messages. Around the same time, cyber-vandals in England programmed public chargers to broadcast pornography. Just this year, the hosts of YouTube channel The Kilowatts tweeted a video showing it was possible to take control of an Electrify America station’s operating system.
While such breaches have so far remained relatively innocuous, cybersecurity experts say the consequences would be far more severe at the hands of truly nefarious miscreants. As companies, governments, and consumers sprint to install more chargers, the risks could only grow.
In recent years, security researchers and white-hat hackers have identified sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids. Given the dangers, everyone from device manufacturers to the Biden administration is rushing to fortify these increasingly common machines and establish security standards.
“This is a major problem,” says Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”
Vulnerabilities in EV charger security aren’t hard to find. Johnson and his colleagues summarized known shortcomings in a paper published last fall in the journal Energies. They found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate [Wi-Fi] networks to a breach.” Another study, led by Concordia University and published last year in the journal Computers & Security, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely, as well as deploy malware.
When British security research firm Pen Test Partners spent 18 months analyzing seven popular EV charger models, it found five had critical flaws. For instance, it identified a software bug in the popular Chargepoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data). A charger sold in the UK by Project EV allowed researchers to overwrite its firmware.
Such cracks could conceivably permit hackers to access vehicle data or consumers’ credit card information, says Ken Munro, a cofounder of Pen Test Partners. But perhaps the most worrying weakness to him was that, as with the Concordia testing, his team discovered that many of the devices allowed hackers to stop or start charging at will. That could leave frustrated drivers without a full battery when they need one, but it’s the cumulative impacts that could be truly devastating.
Earlier this year, the Federal Highway Administration finalized a rule requiring states to implement “appropriate” cybersecurity strategies for chargers funded under the infrastructure law. But Johnson says the regulation omits devices installed outside that expansion, not to mention the more than 100,000 units already in place nationwide. Plus, he says, states haven’t offered much detail about what they’ll do. “If you drill down into the state plans, you’ll find that they are actually extremely light on cyber requirements,” he says. “The vast majority that I saw just say they will follow best practices.”
Just what constitutes best practice remains ill-defined. Johnson and his colleagues at Sandia published recommendations for charger manufacturers, and he noted that the National Institute of Standards and Technology is developing a framework for fast-charging that could help shape future regulation. But, ultimately, he would like to see something akin to the 2022 Protecting and Transforming Cyber Health Care Act that’s geared toward electric vehicles.
“Regulation is a way to drive the entire industry to improve their baseline security standards,” he says, pointing to recent laws in other countries as models or starting points for policymakers in the United States. Last year, for instance, the United Kingdom rolled out a host of requirements for EV chargers, such as enhanced encryption and authentication standards, tamper detection alerts, and randomized delay functionality.
The latter means that a charger must be able to turn on and off with a random time delay of up to 10 minutes. That would mitigate the impact of all the chargers in an area coming online simultaneously after a power outage or hack. “You don’t get that spike, which is great,” says Munro. “It removes the threat from the power grid.”
Johnson is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can’t imagine [stricter standards] won’t happen. It’s just taking a long time,” he says. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement.
“It’s scary stuff,” he says, “but it shouldn’t be fear-mongering.”
Post Disclaimer
The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.