BEVs Remain a Serious Cyber-Security Risk
As battery electric vehicles join the global fleet, questions of security have increasingly been raised, particularly in relation to how vulnerable they will make the electric infrastructure that fuels the cars and, in some cases, takes power from them.
Warnings have already been sounded about the potential risks of charging but few of these of these warnings were based on actual hands-on experience. Ken Munro, a founder of the cyber-security firm Pen Test Partners, and his team were among the first security specialists to investigate existing vulnerabilities in the charging process by trying to hack into it. Munro said that they looked at smart chargers after the UK government had made them mandatory for all BEVs. “That was a big step,” he said. However, it created immediate security issues because many manufacturers rushed to make their EV chargers smart.
“That’s a big ask of a business that is used to making electrical components to very quickly understand cyber-security,” he said. “You have to have expertise in mobile apps, in APIs, in cloud computing, in cellular connections and in the embedded systems to enable the smarts in the charger. It’s a big ecosystem.”
The team spent 18 months investigating the security of smart chargers produced by six different manufacturers and also reviewed the security of some public charging networks. “We discovered that a number of these manufacturers made mistakes – between them, about every mistake you could make,” Munro said. “Some were a disaster and actually dangerous, others created backdoors into your home network, so that by putting in place an EV charger you actually expose the cyber-security of your home and others created opportunities for hackers to destabilize our power grids.”
The risk was exclusively to the grid side of the charging process, rather than the vehicle – except when a breach prevented the car from charging. “There is very basic communication between the car and the charger but it’s not a conduit into the vehicle,” he explained. “I don’t think anyone has proved it yet.”
In some of the smart chargers they investigated, the company was able to take full and remote control of every charger on that manufacturer’s platform. “So, for the consumer, we could have turned all their chargers off, so they wake up there’s no charge in the car or it didn’t charge overnight,” Munro said. More worrying was, he said, that they could turn all the chargers on and off at the same time, which could result in instability in the grid, especially at peak times, such as early evening, when the grid is already under pressure.
“And if you were to turn all the chargers on and off and on and off, it would cause the grid to disconnect, so you would have power blackouts.” That is a real possibility today, when BEV market penetration is still low. “If we go to 100% EVs [on the road], it becomes really critical,” Munro warned. [Anti-war hackers turned off BEV chargers in Russia at the beginning of its war with Ukraine – Ed]
He went on to say that on some of the chargers they were able to remotely send firmware to the customer. “Firmware is the code that runs on the embedded chips,” he explained. “We could reprogram it to suit us, and at that point we could effectively make it a steppingstone into the customer’s home network.”
In some cases Munro and his team found potential vulnerabilities that suggested that the charger manufacturer’s platform was also vulnerable. “But we couldn’t go and hack the manufacturer – that wouldn’t be ethical or even legal – so we bought one or two of these chargers so we could work on our own systems. There is potential for the manufacturers to accidentally expose themselves.”
The core of the vulnerabilities they found was in the applications programming interfaces (APIs), Munro explained. “The API wasn’t checking it was you who was making the request, which meant that anybody could make that request.” Happily, the manufacturers fixed the vulnerabilities when they were notified by Pen Test Partners. One company, which had brought in a charger produced by a Chinese firm had to act quickly to ask that Chinese company to repair the technology. “And they did it within two weeks, which is great,” Munro said.
Asked about future vulnerabilities he and his company would look at, he said, “The most malicious way to make trouble is probably to compromise the charging company itself. They’re the administrators, they have control of everything, so in the future this is in my mind going to be one of the most likely routes of attack.” He added that manufacturers have reacted rapidly once vulnerabilities were brought to their attention and that they will become increasingly vigilant but he warned: “There’s a mistake, it gets fixed,” he said. “Increased use [leads to] more security. So, I think we’ll be okay.”
