Will electric cars and trucks be the next playground for hackers?
Some cybersecurity experts are raising the alarm, describing disturbing scenarios of possible attacks that include vehicles careening off the road or catching fire.
Electric vehicles are packed with chips and software that control everything from their batteries and motors to cruise control and braking. They also are plugged into chargers almost daily, sending information back and forth over charging networks or the internet. And they communicate wirelessly with the companies that made them, EV dealers, cellular and home Wi-Fi networks and apps on their owners’ phones.
This combination of vast computing power and numerous online connections will present an alluring opportunity for digital malcontents, as millions of EVs are projected to roll out over the next few years, cybersecurity experts say.
“It’s a very complex ecosystem of different players and different sets of technologies. It shows how many potential doors there are for hackers,” says Benjamin Klein, an associate partner at McKinsey & Co. who specializes in cybersecurity.
The nightmare possibility: Hackers spread malicious software to thousands or millions of EVs. The attacks paralyze the cars until their owners pay a fee, in much the same way that ransomware can shut down a computer network until the hackers get money. Even worse, hackers might be able to corrupt an EV’s charging system and overload the battery, potentially igniting it, or hijack a vehicle’s acceleration and braking, leading to an accident.
“Imagine the cars start driving erratically,” says Stuart Madnick, a professor and cybersecurity expert at the Massachusetts Institute of Technology’s Sloan School of Management. “That is well within the realm of feasibility.’’
Other possibilities, experts say, include hackers taking control of charging networks and using them to steal customers’ information or even take down parts of the power grid.
So far, reported hacks have been relatively minor. Last February, after Russia’s invasion of Ukraine, chargers along a major highway in Russia were shut down and the screens began displaying pro-Ukraine slogans. In April, public chargers on the British Isle of Wight were hacked to display pornography on their screens.
But the U.S. Energy Department’s Sandia National Laboratories last year warned in a report that “there is currently no comprehensive…cybersecurity approach” in the EV or charger industries, and that cyberattacks could slow EV adoption. Biden administration officials, meanwhile, held a closed-door White House forum in October with makers of EVs, EV components and chargers to emphasize the need for stricter security controls.
Here is a closer look at some of the cybersecurity risks posed by EVs and chargers, and what could be done to minimize the vulnerabilities.
Bad actors have plenty of potential ways to introduce malicious software, or malware, into electric vehicles and plenty of ways to wreak havoc if they do.
In EVs, most of the mechanical features of internal-combustion vehicles—pistons, valves, crankshafts, carburetors, gas and water pumps—have been replaced by electronics. Chips and software control how the batteries are charged, how they transmit electricity to motors, how motors accelerate and how they return electricity to the batteries during braking, among other activities.
While an internal-combustion luxury car can have about 150 electronic control units, “that’s nothing compared to the 3,000 chips that we’re seeing in the average EV,” says Syed Ali, a partner and cybersecurity expert at consulting firm Bain & Co. An EV also uses millions more lines of computer code, he says.
Yet despite this heavy reliance on computer technology, “we’re in a very immature and early stage” in EV cybersecurity protections, Mr. Ali says.
Of particular concern are the periodic software updates that EV makers transmit to their customers’ cars wirelessly. If a hacker could insert malware into these updates, it potentially could damage hundreds of thousands of cars.
“We know it can be done,” says Jim Guinn, global cyber industry lead at consulting firm Accenture.
A 2015 demonstration involving a Jeep Cherokee provided a real-life example of how hackers could exploit security flaws in an internet-connected car. Researchers remotely broke into the electronics of the vehicle via its cellular connection and took control of its steering, accelerator and brakes by sending commands from a laptop miles away. The driver, a reporter for Wired magazine, couldn’t keep the SUV out of a ditch. The car maker subsequently recalled 1.4 million vehicles to install a software patch to fix the vulnerability.
That Jeep was a standard internal-combustion vehicle. EVs, Mr. Ali points out, offer “orders of magnitude” more targets for a cyberattack.
Accenture’s Mr. Guinn says it isn’t just the chips, communications links and constant charger hookups that make EVs susceptible to hacks. It’s also because the industry creating them is young and in a hurry.
“The rapid adoption [of EVs], the rapid testing cycles, the rapid number of units produced create opportunities for vulnerabilities not to be checked or known,” he says.
The Alliance for Automotive Innovation, the car industry’s main U.S. trade group, declined to discuss specific potential EV threats, but said in a statement that “cybersecurity is a top priority for auto makers” and that its members have “adapted well-respected cybersecurity risk-management frameworks from other contexts and industries.”
The largest EV maker, Tesla Inc., isn’t a member of the trade group and didn’t respond to a request for comment. But on its website it says it values input from cybersecurity researchers about possible vulnerabilities in its vehicles. “We will investigate legitimate reports and make every effort to quickly correct any vulnerability,” it says.
Experts predict the majority of EV charging will take place at car owners’ homes. And home chargers can come with security risks, too.
When a vehicle is attached to a 240-volt Level 2 charger, which provides faster battery refilling than the chargers that plug into standard 120-volt household outlets and often come with the vehicle, information about the car’s batteries, charge level and other data is communicated back and forth with the company that made the charger and sometimes with the electric utility. These pipelines could be a conduit for malware, experts say.
What’s more, many home chargers are linked to the owner’s Wi-Fi network and a smartphone app, or to a cellular network, offering more potential attack vectors.
In 2021, security firm Pen Test Partners examined six brands of “smart” chargers used in the U.S. and U.K., which allow EV owners to remotely monitor and manage charging. It found a number of flaws, some of which could allow hackers to hijack the devices or load potentially malicious software onto them.
Genevieve Cullen, president of the Electric Drive Transportation Association, a trade group, says EV and charger makers, utilities and affiliated industries are “working together, and with regulators, to ensure a secure and reliable electric transportation system—from power plants to vehicles to public and residential chargers.”
Public charging networks
More than 160,000 public chargers are installed at U.S. shopping centers, highway rest stops, business parks and elsewhere. The 2021 federal infrastructure act provides funding to help build 500,000 more.
Experts say the relative lack of security in the charging infrastructure makes attacks on them possible.
“Some of the EV charging networks are very insecure because they weren’t designed with security in mind,” says Mr. Guinn. “They were designed with reliability and safety in mind.”
Researchers at Concordia University in Montreal, Sandia Labs and elsewhere say malicious software could be introduced into these devices and the networks that run them in a variety of ways.
Hackers could physically tamper with the chargers—say, by plugging laptop computers or other devices containing malware into their USB ports or other access ports. They could connect to a charger remotely over its internet link and install malware. Or, they could inject malware into an EV that would transfer to the charger when the vehicle owner plugs in.
Once the software is installed on a single charger, it might be able to distribute itself throughout the entire charger network, researchers say. Then, hackers could hold the network hostage and demand a ransom payment, or even attack the electricity grid by using the network of chargers to draw more power than the local grid is capable of transmitting.
Hackers also could launch an attack in the other direction—using a charging network’s computers to infect vehicles themselves. “Any car plugging in is allowing its software to be exposed to the software that has been modified or tampered in the EV charging station,” says Mr. Ali.
With such attacks, criminals could steal the charging-account information of EV owners and use it to obtain free charging, or try to damage a car’s electrical system, among other things.
Some security standards created by industry groups are in place, such as those contained in the software that controls communications between charging networks and the central computers that manage them. But not all charging networks adhere to those standards, cybersecurity researchers say.
The Electric Vehicle Charging Association, a trade group for the public-charging-network industry, says the industry understands the importance of cybersecurity and takes it very seriously.
“The security of our electrical grids is of critical importance as we transition to electric vehicles,” the group said in a statement. With the industry innovating at such a rapid pace, “it is imperative we put cybersecurity first in the development of these innovations, like software, communications protocols and payment readers.”
What can be done?
Experts say the EV and charging industries need to come together to jointly create stronger and broader security protocols, such as those regarding computer-network firewalls and authentication of users—and follow them.
The Alliance for Automotive Innovation says it supports “a multi-stakeholder, public/private approach that outlines clear cybersecurity roles and responsibilities, including for EV charging infrastructure providers, to protect against cyber threats.”
Others say increased government oversight and regulation are needed.
Some help will come from the infrastructure law, which requires the Federal Highway Administration to implement physical and cybersecurity standards for the public chargers it funds.
In September, the National Highway Traffic Safety Administration released its own revised cybersecurity guidelines for the vehicle industry. Among them are ones aimed at preventing wireless attacks by advising car makers to “limit connections between wireless-connected ECUs [electronic control units]” and vehicle-control systems “such as braking, steering, propulsion and power management.”
But these guidelines don’t have the force of law.
Prof. Madnick says that federal law also doesn’t require companies to report ransomware payments beyond those affecting critical infrastructure. That means the extent and nature of these attacks isn’t fully known, making it harder to implement measures to limit them.
It may take a major cyberattack on the EV infrastructure before the industry and lawmakers take serious steps to help prevent them, some experts say.
“Sometimes we need a wake-up call,’’ Prof. Madnick says.