Security Weaknesses Exposed in EV Systems

Posted on by Isla Sibanda

Cyberattacks are becoming difficult to predict and prevent as hackers become increasingly creative with the systems they target. Malware and spyware on a computer are just a few methods of attack, but cybercrime extends beyond the boundaries of a computer.

Cybercrime also affects systems in the physical world. New security weaknesses have been discovered in several electric vehicle charging systems, with broad consequences. So, how can hackers use electric vehicle charging systems for cybercrime, and what are ways to protect against these attacks?

System Weaknesses Revealed

New security vulnerabilities have been uncovered in multiple electric vehicles’ charging systems, which can lead to denial of service and remote theft of both data and energy. SaiFlow, based in Israel, released these findings, which reveal possible dangers inherent in electric vehicle charging systems.

The current version of the Open Charge Point Protocol, or OCPP, is OCPP 2.0.1. These system weaknesses have been identified in OCPP version 1.6J, a version of the protocol that relies on WebSockets to channel communication between Charging Station Management System (CSMS) providers and individual electric vehicle charging stations.

According to analysts, there is a lack of clarity regarding how a CSMS is meant to accept new connections from an EV charge point. When an active connection is already established between the CSMS and an individual EV charging station, there is an open weak spot that hijackers can easily recognize, interrupt, and exploit.

Multiple Modes of Attack

There are several modes of attack through which cybercriminals can utilize electric vehicle charging systems, resulting in a range of consequences. Intrinsic flaws in the EV communication system’s security result in vulnerabilities that enterprising hackers can easily exploit.

Denial-of-Service Attacks

A denial-of-service attack involves a hacker hijacking one system to target another system so they can remotely disable it. In the case of EV systems, a hacker can hijack a valid EV charger and create a false connection with its CSMS provider while the charger is already connected. Once the hacker has established this connection, they can remotely shut down the entire charging station. They can then create a false connection so that when a valid new connection is established, the provider denies service.

Identity Theft

Once a hacker has falsified a connection with the CSMS provider, this false connection can grant the hacker access to sensitive personal information.

When a new connection is established, information flows through the hacker’s false connection rather than the original one, leaving sensitive details vulnerable to the hacker’s prying eyes. This can include the electric vehicle owner’s name, address, credit card details, and other credentials. In this way, hackers can utilize EV systems to remotely enact identity theft on unsuspecting drivers.

How to Protect against EV System Weaknesses

With environmental awareness on everyone’s minds, electric vehicles are becoming increasingly popular. According to recent statistics, 71% of Canadians are considering an electric vehicle for their next auto purchase, and 36% of Americans are seriously considering the same. With such a boost in sales, it is important that electric vehicle owners have security in mind to protect themselves from any potential exploitation of system weaknesses.

As with most cybercrime attacks, identity theft is one of the most common causes of a breach. Access to sensitive data provides a compelling reason for hackers to target electric vehicle system weaknesses and can give bad actors a direct route into bank details and even home addresses.

Learning how to protect against this type of remote attack is key. Luckily, there are proactive steps users can take to shore up security. First, make sure to use a VPN for a vehicle to hide the IP address associated with it. This will help protect all online activity related to a connected car, such as updating vehicle software.

Users should also use a SaaS service for a vehicle’s Wi-Fi needs to browse online content safely. The software will filter search content and help protect against malware and scams.

Before connecting a smartphone or other mobile devices to a car, make sure they are all properly secured as well. Ensure all passwords on the devices are strong and unique, and enable multi-factor authentication and digital signatures where possible.

Finally, make sure to have a bank account with FDIC insurance so that a victim will be paid back everything in an account up to $250,000 in case of a default or security breach.

Final Thoughts

As electric vehicles continue to rise in popularity, manufacturers will need to be vigilant about any potential security weaknesses in the communications systems. They must prioritize security to protect EV owners from power and identity theft.

It may take some time for the latest EV communications system security technology to reach the mass markets, however. In the meantime, electric vehicle owners can take proactive steps like using VPNs and reputable SaaS providers to ensure that both their financial assets and personal details are protected from any potentially prying eyes.


Isla Sibanda

Freelance Writer,

Mobile & IoT Security

mobile security Internet of Things authentication supply chain software code vulnerability analysis security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community