The Kia EV6 electric car being powerless, Sky Malcolm pulled into an outlet of fast-chargers close to Terre Haute, Indiana, to connect. While his car was charging and he walked around, he inspected nearby chargers. One stood out in particular.
In contrast to the formal welcome screen on other Electrify America units, this one had a picture that showed President Biden showing his finger in the direction of an “I did that!” caption. The meme was similar to the one the president’s critics began inflicting on the gas pump after prices increased last year, which was cloned twenty times on the screen.
“It was, unfortunately, not terribly surprising,” Malcolm admitted about the hack discovered during the fall. This kind of sleuthing is becoming more frequent. In the early days of the conflict in Ukraine, hackers altered chargers along the Moscow-Saint Petersburg highway located in Russia to greet drivers by displaying anti-Putin slogans. At the same time, cybercriminals in England have programmed charging stations in public places to show porn. This year the hosts of the YouTube Channel The Kilowatts tweeted a video in HTML0 that demonstrated the possibility of being in control of the Electrify America station’s operating system.
Even though these incidents have been relatively harmless, cybersecurity experts claim the consequences will be more severe when criminals perpetrate them. The dangers will only increase as governments, companies, and even consumers rush to set up more charging devices.
In recent times, security researchers and white-hat hackers have found many weaknesses in internet-connected public charging and home devices, which could leak customer information and compromise Wi-Fi networks, and, in the scenario where it is a disaster, shut down power grids. With the threat of a power outage posed by these vulnerabilities, everyone from the device makers and the Biden administration is scrambling to strengthen these ubiquitous devices and create security standards.
“This is a major problem,” said Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”
Chinks in the security of electric vehicle chargers aren’t challenging to find. Johnson and his co-authors identified the weaknesses in a study published in the fall of last year in The journal Energies. They discovered all kinds of things, from hackers being capable of tracking users to weaknesses that “may expose home and corporate [Wi-Fi] networks to a breach.” A different study, authored by Concordia University and published in 2000 in Computers & Security, highlighted more than a dozen “severe vulnerabilities,” including the ability to switch charging devices off and on remotely and use malware.
When British security company Pen Test Partners spent 18 months studying seven of the most popular E.V. charging versions, they discovered five models with critical weaknesses. For instance, it found a security flaw in the renowned ChargePoint network that hackers could use to steal sensitive user information (the team stopped looking before acquiring the data). A charger offered within the U.K. by Project E.V. lets researchers overwrite the charger’s firmware.
The cracks could permit hackers to access data from vehicles or credit card data, said Ken Munro, a co-founder of Pen Test Partners. The most troubling vulnerability to his work was that, in line with the Concordia tests, his team discovered that most devices could allow hackers to shut down or begin charging anytime. It could mean that drivers are without a fully charged battery whenever they’re in need. However, the cumulative effects can be devastating.
“It’s not about your charger; it’s about everyone’s charger at the same time,” he added. Many homeowners have their cars hooked to chargers even though they’re not drawing energy. For instance, they could connect their vehicle at night and then schedule the car to charge overnight when costs are lower. If hackers were to switch millions or thousands of chargers on and off in a single go, this could cause instability and possibly shut down entire electric grids.
“We’ve inadvertently created a weapon that nation-states can use against our power grid,” Munro said. Munro. The United States glimpsed what such an attack could appear like in 2021 as hackers stole Colonial Pipeline and disrupted gasoline supply throughout the nation. The episode ended when the company paid thousands of dollars for ransom.
Munro’s top advice to consumers is to never connect their home charging devices to the internet, which will keep out the most common weaknesses. The majority of security should originate from the manufacturer.
“It’s the responsibility of the companies offering these services to make sure they are secure,” Jacob Hoffman-Andrews is the senior staff technologist for the Electronic Frontier Foundation, a digital rights non-profit. “To some degree, you have to trust the device you’re plugging into.”
Electrify America declined an interview request. About the problems Malcolm And The Kilowatts documented, spokesperson Octavio Narrarro wrote via email that these problems were not a problem and that the solutions were swiftly implemented. In a statement, the firm declared, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.”
Pen Test Partners wrote in its report that businesses were generally quick to address the weaknesses it found. ChargePoint and others managed holes in less than 24 days (though one company has created another vulnerability when trying to patch an old one). Project E.V. did not respond to Pen Test Partners but eventually introduced “strong authentication and authorization.” Some experts insist that it’s time for companies to change their whack-a-mole method to security.
“Everybody knows this is an issue, and lots of people are trying to figure out how to best solve it,” Johnson said. Johnson noted that he’s seen some improvements. For instance, many publicly accessible E.V. charging facilities have been upgraded to more secure methods of sending information. But when it comes to an agreed standard, the engineer noted, “There’s not much regulation out there.”
There’s been a little movement towards changing this. The bipartisan infrastructure law of 2021 comprised $7.5 billion to increase electrical vehicle charging infrastructure all across the U.S., and the Biden administration has included cybersecurity as a part of the initiative. In October, it was reported that the White House convened manufacturers and policymakers to discuss the best path to ensure that the increasingly crucial electric vehicle charging devices are adequately protected.
“Our critical infrastructure needs to meet a baseline level of security and resilience,” said Harry Krejsa, chief strategist at the White House Office of the National Cyber Director. He added that increasing E.V. cybersecurity is just as crucial as establishing trust as it reduces the risk. Security systems added, “give us the confidence in our next-generation digital foundations to aim higher than we possibly could have otherwise.”
This year in the year that was just over, earlier this year, the Federal Highway Administration finalized an order that requires states to implement “appropriate” cybersecurity strategies for chargers financed under the law on infrastructure. However, Johnson states that the rule doesn’t cover devices that aren’t part of the expansion and the over 100,000 chargers already installed across the country. Furthermore, he noted states still need to provide specific information about what they’ll be doing. “If you drill down into the state plans, you’ll find that they are extremely light on cyber requirements,” he explained. “The vast majority that I saw just say they will follow best practices.”
What constitutes the best practice needs to be clarified. Johnson, along with his colleagues from Sandia, has published guidelines for charger makers, and he noted that the National Institute of Standards and Technology is working on a structure for fast charging that could influence the future of regulation. However, ultimately Johnson would like to have something similar to the 2022 Protecting as well as Transforming Cyber Health Care Act designed for electric vehicles.
“Regulation is a way to drive the entire industry to improve their baseline security standards,” said the official, pointing to recent legislation in other countries as a model or reference point for policymakers in the United States. For instance, last year, the United Kingdom rolled out various standards for electric vehicle chargers, including higher security and encryption standards, tamper-detection warnings, and random delay capabilities.
This means that the charger should be able to switch off and on at the random interval of 10 minutes. This would reduce the effect of all chargers in the same area being online simultaneously following a power failure or hack. “You don’t get that spike, which is great,” Munro said. Munro. “It removes the threat from the power grid.”
Johnson believes in the sense that the industry’s headed in the correct direction, though slower than what is ideal. “I can’t imagine [stricter standards] won’t happen. It’s simply taking a long duration,” the man said. He doesn’t wish to cause alarm incorrectly and instead applies constant pressure to make improvements.
“It’s scary stuff,” said he, “but it shouldn’t be fearmongering.”