Computing Applications

Do EV Charging Stations Open the Power Grid to Attack?

Electric vehicle charging stations at a Walmart store.
An international team of penetration testers found that Internet-connected EV Charging Station Management Systems that track and manage charging stations at drive-in sites were prone to a swathe of remote cyberattacks, some of them critical.

Forget about range anxiety, the fear you'll drive your electric vehicle (EV) too far to make it back home before running out of power. Another concern rearing its ugly head to drivers of electric cars now is the digital security of the charging stations where they may replenish their batteries when away from home.

Vulnerabilities in the complex software used to control charging stations, it turns out, could allow attackers to mount debilitating hacks on power grids, disrupting electrical supplies, or even taking them down completely.  

An international team of penetration testers reverse-engineered the way software at the mobile, Web, and embedded firmware levels is used to control commercial EV charging stations. The pentesters (penetration testers) found that Internet-connected EV Charging Station Management Systems (EVCSMS) that track and manage charging stations at drive-in sites were prone to a swathe of remote cyberattacks, some of them critical.

In addition to putting the power grid's stability at risk, some of the susceptibilities they identified could allow attackers to gain complete control of charging stations, letting them configure the systems as they wished—perhaps letting compatriots charge their EVs for free, or allowing them to claim illicit refunds. Some were also capable of being used as platforms from which distributed denial of service (DDoS) attacks could be mounted.

The research team published its findings in the January 2022 edition of peer-reviewed  journal Computers & Security, at a time when EV charging station networks are fast proliferating globally to service the switch from hybrid and gasoline cars to EVs, as governments the world over pursue net-zero carbon dioxide emissions by 2050.

In the U.S., for instance, the Biden administration introduced plans as part of the bipartisan Infrastructure Law passed by Congress in November 2021 to encourage American states to roll out no less than 500,000 new EV charging stations coast-to-coast by 2030, with $5 billion in seed funding available to help make it all happen.

Tony Nasr, a cybersecurity engineer at the Concordia Institute for Information Systems Engineering in Montreal, Canada, wondered what such massive growth in this specialized form of Internet-based infrastructure would mean for urban security, especially since the charger networks are fed by critical infrastructure we all depend on: the power grid.  

"Given the exponential growth in the number of EVs, and the resulting increase in the numbers of deployed EV charging stations, there is the utmost need to examine the cybersecurity of charging stations and their networks," Nasr says. 

So, alongside his Concordia colleagues Sadegh Torabi and Chadi Assi, plus Elias Bou-Harb at the University of Texas at San Antonio and Claude Fachka at the University of Dubai in the United Arab Emirates, Nasr set about finding out more about the risks. However, as EV charging stations are based on a blizzard of commercial products developed by a variety of international vendors, how could they even begin to assess their security?

Their answer was to harness "dorking"—a precision form of Websearch—to find functional details on the mobile app and Web-based components of some 15 EVCSMS applications, used to manage the charging devices, plus the embedded firmware, the charging stations they are installed in, and their networking capabilities. 

Dorking involves using an advanced set of Google search parameters in queries, a step or two above the terms most of us use in our day-to-day Googling. For instance, some of the search parameters dorkers use include "intext:" to find keywords in, say, html files; "filetype:" to shift between document types; image formats and executables, say, and "inurl:" to find keywords embedded in Web addresses. All these can be focused on a single Website using the "site:" parameter.

Using this technique, the research team built automated Web-crawling routines that they ran across EV charging station makers' Websites, successfully surfacing key data relating to 16 of the most commonly used EV charging systems, with five of them turning up deep detail on the way their EVCSMS code worked, too.

This might sound an intrusive procedure, but Nasr says all they found was openly posted data. "These techniques do not affect or interact in any way with the product developer's or vendor's systems, but rather rely on openly available resources and search engines to gather the corresponding firmware and applications," he says.

With all the information and firmware the researchers retrieved, they were able to reverse-engineer how each charging station works, and from that, were able to make a good stab at deducing the kinds of attacks against these systems that might succeed. Their results were far from encouraging for a technology that's supposedly at the forefront of battling climate change: they found 13 classes of severe vulnerability in need of patching, including:

  • privilege escalation giving attackers "full control over all EVCSMS functionalities";
  • password change capabilities, allowing user account hijack and takeover;
  • broad manipulation of billing and refund functions;
  • recruitment of compromised charging stations into a botnet that can mount DDoS attacks, and
  • manipulation of the charge/discharge cycle of connected EVs to destabilize the power grid frequency to such an extent that protective relays would cut in, causing outages.

"Our findings demonstrate that the EV charging ecosystem suffers from critical vulnerabilities" at a "fundamental" level, the research team reported. Since then, they have contacted the charging system vendors at issue and suggested ways to mitigate the issues they uncovered. The team was heartened to find some of the vendors were open to patching the vulnerabilities in their systems that the research had identified.

For instance, one EV charging systems vendor, Schneider Electric of Germany, acknowledged the team's findings and immediately reserved 12 Common Vulnerability and Exposure (CVE) numbers to assign when they are ready to publicly release patches via the U.S. Department of Homeland Security's ICS-CERT alerting service.

While Nasr and his colleagues say such acknowledgement is promising as EV networks proliferate, more clearly needs to be done to encourage charger makers to develop secure technology.

The reason? This is not the first time EV charging systems have been found to be a threat to critical infrastructure.

Last summer, engineers at commercial security firm Pentest Partners in Buckingham, U.K., studied European home-based charging devices and one charging station, and found that some of the high-power devices can be hacked and remotely forced to repeatedly turn on and off in concert with each other. "Our concern is about switching large numbers of chargers on and off concurrently bringing instability to the power grid," says PenTest founder Ken Munro.

However, following the publication of the research, Munro says, "The U.K. government has introduced new requirements for chargers: a random time delay is introduced before charging starts, mitigating the effects of hacking large numbers of chargers.

Munro notes another encouraging sign: that bipartisan Infrastructure Law Congress passed late last year requires any organization receiving grant money to build some of the 500,000 EV charging stations President Biden wants up and running by 2030 must "protect personal privacy and ensure cybersecurity".

It is such enshrining of the need to put security first in legislation—rather than leaving it to the market—that will make a difference in securing the burgeoning EV charger sector, says Louise Shea, lead cyber and intelligence architect at Lockheed Martin in Gloucester, U.K.

Stressing that this is her view and not her employer's, Shea, a former cybercrime investigator with London's Metropolitan Police, says a strong legal frame of reference is the only answer. "Governments need to wield a big stick here. And the best way to do that is in the form of far more rigorous regulation and legislation."


Paul Marks is a technology journalist, writer, and editor based in London, U.K.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More