The EV Charging Port Is the Next Cybersecurity Challenge

For more than a decade now, as vehicles have become increasingly connected, automotive cybersecurity has been a topic of greater concern. This is especially true given the danger inherent in multiton vehicles running down the road at speeds that can reach upwards of 100 mph in some areas. Over time the number of potential attack surfaces has grown, and as we make the transition to EVs, the charge port has become the latest potential entry point for bad actors.

For more than a century, fueling hasn’t been a major area of concern for drivers apart from periodic spikes in price. Certainly, there can be some contamination of fuel from mishandling, age, or vandalism. Misfueling by putting gasoline into a diesel vehicle can occasionally happen as well. But the result of these mishaps is generally just that the engine stops running, often quickly.

Cybersecurity is a whole new challenge. Multiple researchers over the past decade have demonstrated the ability to remotely take control of a vehicle through a wireless or wired connection. At security conferences like Black Hat and DEF CON, we’ve seen researchers use CDs and USB drives to inject malware into a vehicle. Relay attacks between a vehicle and a key fob have been used to steal vehicles, and the cellular data connection that is now ubiquitous on new vehicles has been used to send commands to brakes, steering, and powertrain.

While liquid fuel itself can cause damage to a vehicle, there is no communication between the vehicle and a fuel pump—just a sensor in the nozzle that detects the filler being full to switch off the flow. But an EV charger is in constant communication with the vehicle it is connected to. When first plugged in, the vehicle and charger must authenticate each other for billing purposes, and then they exchange information about how fast each side can accept or provide a charge. The vehicle also provides information about its battery state of charge. This is all necessary to prevent overcharging the battery, which can cause permanent damage or even a fire.

Right up until the driver unplugs and drives away, there is an open channel of communication. The chargers themselves are connected to cloud systems that manage billing, diagnostics, and notifications to drivers that their vehicles are finished charging. As we have seen so often in recent years, these backend systems can often be the easiest pathway for a data breach. If you haven’t already, you might want to enter your email address into the Have I Been Pwned website to see how many companies have lost control of your personal information through data breaches.

While bad actors can certainly steal your data from charging network operators, the real safety risk is the potential for malware to be injected into a single vehicle in a targeted attack, or into an entire fleet. This could potentially be used as a Trojan horse to open security vulnerabilities from inside vehicles, steal more data, or initiate something like a ransomware attack that disables potentially millions of vehicles.

Automakers and suppliers have come to understand their responsibility for designing vehicles for cybersecurity and resilience since those early attacks, and in late 2015 a group of OEMs formed the Automotive Information Sharing and Analysis Center. But securing the vehicle is insufficient; every aspect of the ecosystem needs to be secured, including the rapidly growing charging infrastructure network. Charging operators must do their part to mitigate the risks associated with this necessary activity.