Two vulnerabilities in a commonly used networking protocol for electric vehicle chargers could allow hackers to remotely shut down charging stations or manipulate docking stations to recharge for free, according to a report from cybersecurity firm Saiflow.
“Essentially, if a hacker exploits these two vulnerabilities, he can create a denial of service which would mean disrupting or disconnecting a single charger or at scale they can execute distributed denial of service which would mean taking down and disconnecting all chargers connected to that network,” said Ron Tiberg-Shachar, CEO of Saiflow, which sells cybersecurity services to the EV charger market.
A fix for the vulnerabilities is available, but Tiberg-Shachar pointed out that the burgeoning EV industry has been slow to deploy the update. The discovery of the flaws and the market’s uneven response suggests cybersecurity could be a growing concern as Washington has made building infrastructure for electric cars a priority. The 2021 bipartisan infrastructure law gave states $7.5 billion over five years to install electric vehicle charging stations. Last September, the administration launched an initiative to build out charging networks along 75,000 miles of interstate highways.
Those EV chargers are connected to a management system platform, usually on the cloud, that allows operators to track the infrastructure stability, energy management, EV charge requests and handles billing. Most chargers use the open charge point protocol (OCPP) — a popular open-source communication standard — to communicate between electric vehicle charging stations and management systems.
Using the OCPP protocol with the embedded vulnerability, a hacker can imitate and hijack a connection between the charger and the management platform. With that access, a hacker can shut down that group of chargers that use OCPP, whether those are installed in a private home or at a highway gas station. They can also use other identifiers to steal energy from those chargers. Even more, the vulnerability gives some access to the surrounding components, said Tiberg-Shachar.
Those related systems could include “battery management systems, like energy management systems, like smart meters that are connected and in some cases, the distributed energy resources, components that are connected to these networks,” he said.
The vulnerabilities affect OCPP 1.6J but there are additional layers of security in an extension or by using one of the latest versions with proper implementations, said Tiberg-Shachar. However, newer versions are not commonly used on the market just yet, he warned. He said that their company is working with some of the major EV charger players to mitigate the risks.
In October, the Biden administration held a cybersecurity forum on electric vehicles and charging infrastructure with electric vehicle industry stakeholders. And many states are dedicating resources to cybersecurity as well and require cybersecurity to be included in the requirements for the EV charger highway grant program.
However, cybersecurity concerns around electric vehicle supply equipment, or EVSE, such as chargers has been an issue for longer than that. A 2019 symposium on EVSE’s held by the National Institute of Standards and Technology noted that EVSE’s “ties together two critical sectors — transportation and energy (specifically, the electric grid) that have never been connected electronically before.”
“This creates the potential for attacks that could have significant impacts in terms of money, business disruptions, and human safety,” NIST wrote.
Vulnerabilities in vehicles generally are becoming increasingly common as researchers begin to focus on the increasingly digitized. Recently, researchers discovered multiple vulnerabilities in some of the biggest auto manufacturers that would have allowed hackers to control potentially millions of vehicles.