Many electric vehicles (EVs) are vulnerable to malicious hacking attacks. This article explores key attack vectors such as remote hijacking, compromised EV chargers, and malware injections. It also highlights multiple exploits identified by security researchers and reviews crucial steps automotive manufacturers and drivers can take to protect EVs from cybercriminals.
Targeting connectivity and control systems
Wi-Fi, Bluetooth, and cellular connectivity support essential EV systems and functions, including diagnostics, telematics, infotainment, and advanced driver assistance systems (ADAS). Connectivity protocols that lack reliable security are potential entry points for cyberattacks.
By intercepting and altering authentic signals, malicious hackers can gain complete control over an EV’s controller area network (CAN), targeting regenerative braking, ADAS, and critical powertrain components (Figure 1). Such attacks could potentially cause sudden acceleration or stops, thermal runaway, and pedestrian detection errors.
Additional attack vectors include malware-infected applications and unsecured over-the-air (OTA) firmware updates. Adversaries may exploit these weaknesses to inject malicious code, modify vehicle software, and potentially alter system functionality. Hacked through signal interception or code duplication, compromised key fobs, NFC cards, and phone-as-a-key apps can also be misused to unlock EVs or tamper with crucial systems.
Moreover, cybercriminals could exploit vulnerabilities in EV infotainment systems to access vehicle functions and personal data, such as contacts, call logs, and GPS history.
Exploring EV charging station security risks
Unprotected public EV chargers are also vulnerable to physical attacks and remote network breaches. If compromised, malicious hackers can alter charge speeds, forcibly disrupt charging cycles, or rapidly switch between alternating current (ac) and direct current (dc). These actions could damage EV batteries, leading to thermal runaway and, in extreme scenarios, fires or even explosions.
Conductive chargers (Figure 2) are particularly susceptible to cyberattacks due to an absence of continuous end-to-end encryption. In contrast, wireless EV chargers incorporate robust authentication protocols, ensuring a secure connection between the battery management system (BMS) and charging station. Although residential EV chargers are generally protected from physical threats, they remain susceptible to remote attacks.
Compromised public chargers can inject malware into EV electronic systems, enabling attackers to steal sensitive data or potentially seize control of vehicles. When connected to residential chargers, infected EVs can spread malware throughout home networks, increasing the risk of device hijacking for distributed denial-of-service (DDoS) attacks. Even if an EV is free from malware, unprotected home chargers are vulnerable to common network attacks such as wardriving, man-in-the-middle, and eavesdropping.
White hat hackers highlight EV security vulnerabilities
While real-world attacks against EVs are fortunately rare, exploits developed by ethical white hat hackers in recent years highlight the critical need for more robust security in EVs and chargers.
Examples include:
- 2024: Synacktiv security researchers at the SPwn2Own Event successfully compromised a Tesla modem and entertainment system, as well as three EV charging stations. Synacktiv had previously gained access to critical Tesla subsystems in less than two minutes with a time-of-check-to-time-of-use (TOCTTOU) attack.
- 2023: Researchers at Technische Universität Berlin jailbreak Tesla’s infotainment system, unlocking paid features by voltage glitching the system’s processor and manipulating code.
- 2022: A cyber security expert exploits the TesaMate app, hacking into 25 Tesla vehicles across a dozen countries and seizing control of critical systems.
- 2021: The full names, addresses, and histories of more than 140,000 customers are inadvertently revealed by an EV charging app vulnerability, as security researchers at Pen Test Partners confirm millions of smart EV charger units are susceptible to account hijacking.
- 2020: White hat hackers at the Southwest Research Institute reverse-engineered EV charger signals and circuits, successfully disrupting charging cycles with low-cost spoofing devices.
Implementing a security-first design approach
To ensure driver and passenger safety, EV manufacturers must implement a security-first design approach spanning hardware, software (including firmware and applications), and operational protocols. Embedded firewalls, seamlessly integrated with firmware, should complement reliable, end-to-end encryption.
Similarly, vehicle-to-everything (V2E) communications and over-the-air (OTA) updates must be secured with end-to-end encryption, as well as authentication and verification protocols managed by a hardware root-of-trust.
Additionally, automotive manufacturers must rigorously test for and eliminate security vulnerabilities before their EVs hit roads and highways.
To secure communication with vehicles and the wider internet, EV charger manufacturers must implement system-wide, end-to-end encryption managed by a hardware root-of-trust. Robust authentication protocols, governed by a hardware root-of-trust, ensure only authorized vehicles and individuals access charging services and higher-level functions. Additionally, extensive field testing helps eliminate known vulnerabilities while timely firmware updates address a dynamic attack landscape.
Lastly, threat detection tools leveraging advanced artificial intelligence (AI) capabilities and sophisticated machine learning (ML) algorithms play an increasingly crucial role in detecting system-wide anomalies and identifying malicious physical activity.
Although automotive manufacturers are responsible for implementing robust, system-wide security, EV drivers must ensure they only download firmware updates and apps from trusted sources. Malicious incidents at public EV chargers or anomalous vehicle behavior should also be reported immediately. Drivers can also help prevent the spread of malware by securing residential chargers and home networks.
Summary
Many EVs are vulnerable to malicious cyberattacks, from remote hijacking and hacked EV chargers to malware injections. Although real-world attacks against EVs are rare, exploits developed by ethical white hat hackers highlight the critical need for more robust security in EVs and chargers. To ensure driver and passenger safety, EV and charger manufacturers must implement a security-first design approach spanning hardware, software (including firmware and applications), and key operational protocols.
References
- Cybersecurity Risk Analysis of Electric Vehicles Charging Stations, NLM
- Can Electric Vehicles be Hacked?, Nevada Today
- Allowing Cybercriminals to Drive Your Car: 5 Tips for Keeping Your Electric Vehicle Secure, CheckPoint
- Hacker’s Latest Target: The Electric Vehicle, Net
- Can Electric Cars be Hacked?, AAA
- Electric Vehicle Cyber Security: Are EVs Safe from Hackers?, TerraNova Security
- How to Avoid EV Charger Hacking, Solum-Group
You may also like:
Filed Under: FAQs