EVs at risk of cyber attack while charging, new research says
By onTechnology
Electric vehicles (EVs) are at risk of cyber attacks while connected to fast-charging systems — the quickest and most common way to charge the vehicles, according to research from a team of engineers at Southwest Research Institute (SwRI).
“As the grid evolves to take on more EVs, we need to defend our critical grid infrastructure against cyberattacks while also securing payments to charge EVs,” said Vic Murray, assistant director of SwRI’s High Reliability Systems Department, in a release. “Our research found room for improvements.”
EV fast-charging systems use high-voltage technology that relies on power line communication (PLC) to transmit smart-grid data between vehicles and charging equipment, a recent press release says.
Engineers were able to exploit vulnerability in the PLC layer, it says. The team then gained access to network keys and digital addresses on the charger and the vehicle.
“Through our penetration testing, we found that the PLC layer was poorly secured and lacked encryption between the vehicle and the chargers,” Katherine Kozan, an engineer who led the project for SwRI’s High Reliability Systems Department, said in the release.
The study specifically explored vehicle-to-grid (V2G) charging technologies governed by ISO 15118 specifications for EVs and electric vehicle supply equipment (EVSE) communication.
An adversary-in-the-middle (AitM) device was built by the researchers and used with specialized software and a modified combined charging system interface. The AitM was able to eavesdrop on traffic between EVs and EVSE for data collection, the release says.
“Adding encryption to the network membership key would be an important first step in securing the V2G charging process,” said FJ Olugbodi, a SwRI engineer who contributed to the project. “With network access granted by unsecure direct access keys, the nonvolatile memory regions on PLC-enabled devices could be easily retrieved and reprogrammed. This opens the door to destructive attacks such as firmware corruption.”
The release notes that encrypting embedded systems on vehicles poses several challenges, including a safety hazard. A failure to authenticate or decrypt could interrupt a vehicle’s functionality or performance.
SwRI says it is developing a zero-trust architecture that can address these challenges.
“It connects several embedded systems using a single cybersecurity protocol,” the release says. “SwRI’s future EV cybersecurity research will test zero-trust systems for PLC and other network layers.”
The institute previously researched cyber risks to EV charging by simulating a malicious attack on a common interface used by EV charging stations in 2020.
Automotive manufacturers said cybersecurity risk is their top external obstacle in 2024, according to a Rockwell Automation report based on global survey results.
The Future of Privacy Forum also recently found that safeguarding driver privacy and data protection will be critical to ensuring widespread acceptance of new safety technology in vehicles.
“Vehicle safety systems can save lives and reduce injuries, but only if people use them,” said Adonne Washington, FPF data, mobility, and location policy counsel and author of the report. “Policymakers and auto manufacturers must consider the privacy and data protection implications for all drivers when incorporating new technology into vehicles to bolster driver trust and adoption.”
IMAGES
In the featured image SwRI research engineers, from left, FJ Olugbodi, Mark Johnson, and Katherine Kozan demonstrate an adversary-in-the-middle device they developed/SwRI.
Diagram demonstrates an SwRI-developed adversary-in-the-middle (AitM) attack and its capability to emulate both an electric vehicle and EV supply equipment (EVSE), as well as monitor their defined attributes/SwRI