Modern Wheels Coupled with Outdated Infrastructure: EVs Facing Increasing Cybersecurity Vulnerabilities

While Electric Vehicle (EV) adoption is rapidly increasing worldwide, a connected environment, complex Electronic Control Units (ECUs), charging stations, and multiple vehicle entry points provide abundant opportunities for malicious actors to infiltrate the EV ecosystem. In a recent memo, Managed Security Service Provider (MSSP) SecurityHQ exposed how a common EV home charger using the Simple Network Management Protocol (SNMPv1) could provide a point of entry for even unsophisticated hackers. The protocol allows the threat actor to carry out Denial of Service (DoS) attacks or deploy the protocol to gain access to an EV vehicle, potentially modifying the operation of the compromised EV.

SecurityHQ’s warning of the charging vulnerability is not the only recently exposed EV weakness. February witnessed a massive hack against EV charging infrastructure, leading to an entire nation’s charging stations being taken offline. The incident happened earlier in the month in the Baltic European country of Lithuania where Russia-linked hacking group Killnet claimed responsibility for an attack that left 20,000 EV drivers without the means to charge their cars, and exposed sensitive driver information. Lithuania’s car charging service provider Ignitis ON said it does not store payment or bank information on its systems, but customer authentication tokens, names, emails and even license plates information were stolen as a result of the breach. The company declared its Operational Technology (OT) infrastructure was secure, but acknowledged that it suspects that hackers “have gained unauthorized access to the data of our EV charging service system, which operates in the cloud, and have taken the information of around 20,000 customers.”   

While EVs themselves deploy complicated tech and high-tech software, some corners of the EV ecosystem surprisingly include outdated technology that could pose threats to the entirety of the EV habitat, including threats to newer EV technologies in cars. A case in point is some of the protocols deployed by chargers that go back to the 1980s, such as the SNMPv1 protocol that may be deployed to gain unauthorized access to devices that are on an EV network. Version 1 of the protocol is especially vulnerable to unauthorized access, as it cannot authenticate and encrypt payloads, making it insecure for deployments in environments where security is a top priority. As a result, an outdated protocol in the charging infrastructure could potentially threaten advanced EVs that deploy modern components, or disrupt services related to these vehicles, such as the shutdown of charging stations. The expansion of market competition in the EV landscape means that vendors plagued by cybersecurity incidents could suffer severe reputational damage and lose customers to gasoline cars or to competitors that prioritize their security features.

The evolving landscape of threats against the EV ecosystem means that stakeholders need to prioritize cybersecurity measures that treat all aspects of the ecosystem as equally important to avoid security lapses. Service providers to EV customers need to first identify outdated infrastructure and vulnerable protocols to then upgrade them to newer and more secure technologies or versions, such as deploying SNMPv3 instead of older versions. Organizations in the EV ecosystem such as parts manufacturers, charging station operators, and EV software developers need to implement encryption mechanisms, access control best practices, and regular security audits to maintain a proactive security posture, rather than solely reacting to emerging threats.

In addition, EV stakeholders need to proactively engage with ethical hackers, or implement bug bounty programs where organizations pay individuals who report security bugs or other vulnerabilities before ill-intentioned hackers become aware of them. Charging station vulnerabilities are especially important to address as they become increasingly integrated into unified networks and deploy cloud infrastructure to communicate with both the grid and the vehicles. Connected home EV chargers are also a concern because they use less secure home Wi-Fi connections and could provide an attack vector into the user’s sensitive data. Ultimately, EV vendors need to design an incident respond plan that outlines clear strategies to contain damages, and provide a recovery roadmap, in case a breach happens.