EV chargers fail to heed security alarms

EV charger manufacturers may have become complacent. The US is now looking to follow in the footsteps on countries on the other side of the Atlantic, such as the UK, in legislating to try to shake off any torpor

Despite numerous warnings from cybersecurity experts about their vulnerability, there is yet to be a major hacking incident involving chargers. There have been plenty of pranks though.

In June of this year, EV owner Sky Malcolm discovered public chargers in Terre Haute, Indiana, that had been hacked so that the display screen featured an image of President Joe Biden saying “I did that”, rendering it inoperable. A year earlier, on the Isle of Wight in the UK, public chargers were hacked to show pornography on their screens, to the dismay of local residents. 

And lack of any more serious incident thus far does not mean chargers are not susceptible to much more damaging attacks. UK cybersecurity company Pen Test Partners has demonstrated numerous security flaws in both domestic and public chargers that would allow nefarious actors to steal user details and charging activity, as well as turn them on and off.

More seriously, the firm found it was possible to turn all the chargers in a network on and off simultaneously, causing untold damage to the grid as it tried to deal with surges of demand. The issues that Pen Test Partners was able to uncover were limited by how far they were able to penetrate the devices without falling foul of laws that draw a line between penetration testing and illegal hacking.

While its original research was carried out in 2021, there has been little in the way of improvement, according to Ken Munro, a consultant at Pen Test Partners who took part in the charger test.

“The issues continue,” he tells EV inFocus. “One of the chargers has gone backwards in terms of cyber security since. Others have addressed the issues we found.”

The UK introduced regulations in 2021 that came into force in June 2022 aimed at protecting charging networks and local grids from cyber threats, such as a tamper detection mechanism and enhanced encryption and authentication standards. To minimise the risks associated with a mass hack of devices, new EV chargers must have a random delay of up to 10 minutes at the start or end of a power interruption, reducing potential damage to grid infrastructure.

The Biden administration has this week introduced draft guidelines for EV charging networks. The National Institute of Standards and Technology (NIST) has called for companies building public charging networks to secure digital payment systems on the stations with encryption, firewalls and antivirus software, among other recommendations. It will be collecting comments from the public until 28 August.

Enforcement needed

“The 2021 UK regulations are good,” says Munro. “The NIST guidelines are good too. Cyber security of charge points is not hugely difficult, so long as one builds security in early in the design lifecycle of the charger. Retrofitting security to a weaker design can be hard and expensive.”

There was a rush to bring products to market in recent years so manufacturers could get first-mover advantage, but many of them were not experienced in smart-device security so have been found wanting in that regard, Munro warns.

“Regulators took a long while to catch up, both with creating the regulations and enforcing them,” he says. “Matters should now improve, though it has taken rather too long in my opinion.”