Electric vehicle charging stations are a new focus for Concordia cybersecurity researchers
If you believe recent reports, the rapid mass adoption of electric vehicles (EV) is just about upon us. Good news for the environment, good news for users, good news for the EV industry. But in this rush of demand for the vehicles and their supporting infrastructure, is it good for our security?
In a paper published in the journal Computers & Security, a Concordia-led team of researchers studied the vulnerabilities found in some of the EV charging station industry’s biggest manufacturers. They found significant weaknesses that can leave those systems open to cyberattacks, with consequences affecting users, the stations themselves and even the power grid they connect to.
The researchers at the Gina Cody School of Engineering and Computer Science’s Security Research Centre used several techniques to assess the security of 16 EV charging station management systems (EVCSMS), including system lookup and collection, reverse engineering and penetration testing techniques. They identified the leading products and discovered vulnerabilities in them by assessing their security measures, then discussed the implications of successful cyberattacks that may leverage them and simulated the impact of potential cyberattacks on the power grid.
“We are about to see an exponential rise of EVs on the road,” says Chadi Assi, a professor at the Concordia Institute for Information Systems Engineering and the paper’s supervising author. “But without a secure charging infrastructure, customers will be reluctant to commit to electric cars.”
Strong growth leaves blind spots
The researchers identified three categories of EVCSMS, namely firmware, mobile applications and web applications.
All of them, to different degrees, were vulnerable to manipulation and potential malware infection. By exploiting and manipulating them, the researchers concluded that attackers could carry out multiple types of malicious actions: they could turn the charging process ON or OFF at their command; deploy malware targeting user data privacy; control multiple charging stations and use them to engage in denial-of-service attacks against other connected devices; and with enough of them working together under the control of bad actors, could potentially be used to overload or underload the power grid and possibly sabotage its operations.
Helpfully, the researchers recommend several mitigation measures that the manufacturers could adopt to reduce risks to their products. The ease and efficiency of enacting each solution, however, depends on the complexity of the vulnerability, says the paper’s lead author, Tony Nasr (MASc 22).
“Each vulnerability has its own case and requires a proper level of sophistication to resolve,” he explains.
“Some simple mitigation efforts can be done from the user side, such as employing strong authentication passwords and firewalls. Other, more technical issues are only solvable from the developer’s side. These typically require implementing more robust security checks and mechanisms into the management system. However, these patches necessitate a careful review and longer time to apply.”
The authors say EVCSMS manufacturers are in part the victims of their own success. The vulnerability classes discussed in the paper are well-documented in the security community. However, the rapid growth in demand for this relatively new technology may have led vendors to prioritize production to keep up with the competition while investing less time and effort in security analysis and evaluation, they write.
“We have noticed that the attack surface — in this case, the number of EVs, charging stations and thus management systems — is growing,” Nasr says. “And the more this attack surface grows, the more potential there is for widescale cyberattacks to exploit and leverage them to conduct malicious activities.”
Sadegh Torabi (PhD 21) also contributed to this paper, as did Elias Bou-Harb at the University of Texas at San Antonio and Claude Fachkha at the University of Dubai.
This study received funding from the Natural Sciences and Engineering Research Council of Canada (NSERC) and the United States National Science Foundation.