The Hidden Cyber Risks of Electric Vehicles

Did you know that experts predict 125 million electric vehicles on the road by 2030? If the International Energy Agency achieves their goal, this is a conservative estimate, as the EV30@30 initiative hopes to make electric vehicles make up 30% of the cars on the road by 2030, totalling an incredible 220 million vehicles.

 

Electric vehicles are an exciting step forward in Smart Mobility, improving the quality of the air that we breathe, tackling issues such as noise pollution and greenhouse gas emissions, and working towards better energy security for the future. However, as with any new technology, especially one which controls the safety on our roads, security factors need to be considered front and center.

 

Hardware itself could cause problems for OEMs

In developing countries, jump-starting initiatives such as electric vehicles could have incredible benefits for the economy at large. By cutting down on fuel imports, and working to reduce carbon emissions – politicians gain public support, with quick wins that seem to have no downside. But is this the case?

 

Looking at a country like India, the government has pledged to have a majority of electric vehicles on the roads by 2030, despite that number being almost non-existent currently. In order for this to happen, India will need to rely heavily on foreign exports such as Chinese manufacturers. In fact, according to PwC India, electric vehicle makers are forced to import as much as 80% of an EV, from the battery itself, to the battery management system. With this reality, the opportunities are ripe for manufacturers to leave backdoor entry points for malicious intent or collecting sensitive data. Sounds unlikely? This is reportedly what 30 US organizations, including giants Apple and Amazon are dealing with.

 

Automotive Cybersecurity, Fleet Cybersecurity, Telematics Cybersecurity

 

The risks are far greater than one vehicle or even one OEM. IoT enables an infected EV to communicate with its charging station, and from there to a network of vehicles, and even the electricity grid at large. While a wide-spreading risk to IT cybersecurity could be devastating to public image as well as cost millions to fix, a similar kind of attack on automotive could have the same impact – on top of a real and catastrophic effect on human lives.  This is one reason why key stakeholders in India have asked for legislation to ensure that EVs and charging points have network segmentation technology enforced to reduce the associated risk.

 

Even with trusted hardware, charging stations are an existing risk

The public has already seen examples of attackers leveraging electronic charging stations to cause damage.  This is often done through the Near-Field Communication (NFC) card that is used to handle billing when drivers charge their EVs.  Problems include third-party providers of the ID cards themselves, who often do not secure their customer data. Researchers have shown they are able to copy these cards and use them to charge their vehicles, with the bill going to the associated account.

 

Additionally, many of the charging stations that are being used today use an out of date Open Charge Point Protocol based on HTTP, which does not encrypt data or communications. This could lead to relay or man-in-the-middle attacks where attackers leverage a seemingly legitimate signal such as WiFi. This vulnerability could also allow attackers to rewire charging requests altogether, and gain root access to the station.

 

USB ports on charging stations could also be used for malicious intent that could directly affect driver privacy. Through a simple flash drive, logs and data can be copied to the drive, giving attackers not only the data on the OCPP server itself, but also confidential information on users of the charging point, allowing attackers to copy their ID numbers or even track their location.

 

Automotive Cybersecurity, Fleet Cybersecurity, Telematics Cybersecurity

 

Staying on top of these risks means being able to see accurately from all sides

Most OEMs, Fleets and other key electric vehicle stakeholders rely on security in silos to manage this increasingly complex environment, whether in-vehicle security, or network security.  Many businesses also feel forced to trust third-party manufacturers and public provided resources, feeling like they have no other choice in the absence of information or control.

 

Automotive cloud security is different. Sitting centrally rather than at any endpoint, data is normalized and aggregated into one easy to read dashboard, collected from all relevant streams to give stakeholders a full picture of the data flows in their environment. This single source of truth makes it easy to spot threats to your network and identify anomalies ahead of time.

 

In an environment as emergent as electric vehicles, and with Black hat attacks surpassing research-based White hat attacks for the first time, many businesses simply don’t know what to look out for yet. This single pane of glass approach is the only solution that keeps you ahead of the game.