Blog by: Cameron Cisneros, Zachary Wilson, Karla Soler and Ian Yates
Research by: Felix Murray, Cameron Cisneros, Zachary Wilson,
Karla Soler, Ian Yates, Unny Menon, Richard D’souza
When we began our research into vulnerabilities of electrical vehicle (EV) charging networks, we had no idea it would introduce us to such a variety of topics. We thought that we would just be looking at how threat actors could gain entry to the charging stations, maybe we would explore the possibility of stealing drivers’ identities and subsequently their finances. As we explored this world further and began comprehending how EVs are just another IoE (Internet of Everything) device, this research project took a turn.
Over the past decade or so, the U.S. has seen an immense rise in the use of electrical vehicles beginning with the Chevy Bolt in 2010. Because EVs and the chargers that come along with them are IoE devices, we need to take into consideration what kind of vulnerabilities they may be exposed to. Our research dives into these topics and goes even deeper by discussing how these vulnerabilities could further impact our electrical grid. Alarmingly, we found that if one has the skill set, it is fairly easy to hack into an EV and, say, steal it – and it is, in some cases even easier to get into the charging stations themselves due to their poorly secured configurations. For instance, we found that many charging stations are built around Raspberry Pi computers, which are extremely basic computers that can be easily hacked remotely or physically. It is very important that we take the precautions necessary to mitigate these vulnerabilities. Threat actors can exploit them in order to compromise our electrical grid, which as we all know would be detrimental to everyday life. Luckily, we didn’t just find all the problems, we also brought some ideas to the table for how we can better mitigate the known issues. A few of these include the implementation of MFA (Multi Factor Authentication) at the chargers and also ways to audit the security of both EVs and their charging platforms.
We learned that EV’s are dependent on a multitude of networks, and each one is dependent on each other to maintain security. Take for instance the charging station network, and the network of power utilities that supply electricity to them. If a threat actor could manipulate the charge rates of cars at a station, they could trip a breaker by pulling too much current as well. Additionally, what if someone could manipulate the cars hardware which itself is a network of components? This could leave people stranded, damage batteries, impact grid availability or be a vector to install malware. Additionally, there is the networked components of an EVs software. This provides crucial information such as diagnostics, location tracking and navigation, as well as tons of information on the driver. If it were to become compromised, the safety of the vehicle (and driver), personal information of the driver, and security of the manufacturer are all at risk. What would happen if a sophisticated threat actor were to launch attacks on all of them at once? Seeing as environmental concerns (and legislation to advance this agenda) will lead more and more drivers to buying EVs, we can see how a Lex Luther-like threat actor could launch an attack that would exhaust even Superman.
Now that the doomsday scenario is out of the way, we can get back to reality. Our research points out much less nightmarish vulnerabilities such as Bluejacking to unlock doors, sniffing traffic on home EV chargers, and defacement of signage at charging stations. Most of the potentially devastating attacks are currently being discovered by security researchers in the lab and not exploited in the wild. This showcases how our security culture is headed in the right direction. With enough vulnerability assessments, security research and a slow and steady EV adoption rate, we should be able to limit risks through proactive management and technological advances. Hesitation to jump into an electric vehicle for the time being is understandable given the scenarios discussed above. Paranoia aside, this system needs to be robust to be safe and profitable. The future is electric, but it’s not a race, we will get there eventually.
This is all reminiscent of the training you might receive as a Journeyman Electrician. The National Electrical Code is published by the National Fire Prevention Association. Note the emphasis on “prevention”. In the past the code was reactive to trends (such as home wiring done in aluminum to save costs). But now, for the most part, they are proactive because entities such as Underwriters Laboratories test products in a lab and find their weaknesses before they make it to market. We need to approach EVs, and all the components that support them, more like the electrical equipment they are and less like software that can be patched later (many times after the vulnerability is found and exploited). This cautious and holistic approach will give the super-people in Cybersecurity their best chance against the mad geniuses out there.
Starting 24 years of being a small business in the digital forensic investigations space is a rare activity. With many transitions happening with the different technology providers being sold, going public, or just disappearing it is rare to experience this many years...
Guest Blogger Hilary Rodela, Lead Digital Content Writer for Taction USA Collecting and extracting evidence is half the battle when it comes to seizing evidence and processing a crime scene. When you don’t have the right supplies or resources it can impede your...
Whether you plan to launch your first company soon or you are a well-established business owner, cybersecurity should mean a great deal to you. Criminals love to target small companies because they are less likely to have stringent security systems and protocols in...