By John Jeffay, NoCamels -
Multi-million dollar ransomware attacks could paralyze operators’ entire networks
Hackers have a new target in their sights – charging stations for electric vehicles (EV).
Gangs of cyber-criminals are always looking for opportunities to exploit new technology and EV charging stations, like any device with an internet or mobile connection, are vulnerable.
They have already been successful with a number of relatively low-level attacks. In the days after Ukraine was invaded a collective of hackers disabled EV charging stations on the 450-mile highway between Moscow and St Petersburg. They posted “Glory to Ukraine” and “Death to the Enemy” on their screens.
In November 2021, a vulnerability in the app of UK domestic car charging provider revealed the full names, addresses, and charge history of thousands of consumers. More than 140,000 users were put at risk, potentially allowing hackers to identify their common charging locations.
And in July of that year, researchers found security flaws that allowed them to remotely switch the chargers on and off, remove the owner’s access, and lock or unlock the charging cable. They also said hackers would be able to steal the vehicle owner’s identity, stop the owner from charging their vehicle, then charge their own vehicle for free.
These cases highlight the risks to individual drivers, but the bigger danger is a full-scale ransomware attack, in which a large, public network of charging stations is disabled, and operators face demands for millions of dollars to have it restored.
Disabling entire networks would cause havoc. But hackers can do even more harm. The charging station connects to the electricity grid, so once they’ve slipped in through the back door, our power supply is in jeopardy.
And the chargers also “speak” to the vehicles they’re charging, which means the hackers could technically take control of your car.
“The first risk is denial of service, which means you cannot charge your car,” says Yoav Levy, CEO of Upstream Security, a startup based in Herzliya, Israel, which already secures connected vehicles from cyber attacks and is now providing software protection to keep EV charging stations safe.
“The second risk is that your EV is talking to the charging station exchanging messages on how much charging time and how much battery is left. That could be an entry point, actually to hack into the vehicle.
“The last one is the grid. Somebody could give a command to the whole fleet of charging station to start charging, creating fake demand from the from the grid, that it can’t supply, and it shuts down.”
There are currently around 2 million public charging stations globally and many more private ones. The numbers will rise exponentially in the coming years as car manufacturers phase out fossil fuels altogether and go electric-only.
So far there are no known cases of ransomware attacks on charging stations, when cybercriminals demand huge sums in cryptocurrency to undo the damage. But many in the industry believe it will happen.
“Someone sitting in North Korea, in Russia or China could try to remotely hack an EV charger. That could be a real risk not only to the charging station, but to the critical infrastructure of a country,” says Levy.
EV charging stations are remotely managed, which means hackers who manage to access one will probably be able to access many. Drivers also connect with their smartphone to pay for a top-up. That’s another potential entry point to the network.
Levy says Upstream is currently alone in offering a completely software-based method of protecting EV charging networks from hackers. But it’s a growth industry and he expects other to follow.
“Hackers are trying to make sure they get a good return on their investment. So if they can do something that they can replicate it in many different areas, and make money, they will do it,” Levy tells NoCamels.
“They follow the money trail, so they want to know where the money is. Who is going to pay me? How much they are going to pay me? And what will the impact be if I hack your charging station?”
It’s a learning curve for the hackers, he says, who are busy figuring out how they can extort serious money from the operators. And also for his people, who need to keep one step ahead.
“We’re also exploring the dark web and deep web, mainly around forums, in the black market, where people are exchanging ideas, looking at ways to hack things,” he says.
Upstream’s technology is currently protecting some networks of EV charging stations, though for confidentiality reasons Levy won’t name names. However he does say that home charging stations are less at risk, because ransomware attacks are likely to target big-money corporations rather than individuals.