EV Charger Hacking Could Imperil the Security of the Power Grid

It’s “a major problem” says one researcher, and “potentially very catastrophic.”

A man wearing shorts and a t-shirt eating a burrito walks past a white Tesla plugged in to a public charging station

Alexi Rosenfeld/Getty Images/Grist

This story was originally published by Grist and is reproduced here as part of the Climate Desk collaboration. It was co-published with Climate Desk partner Wired

With his electric Kia EV6 running low on power, Sky Malcolm pulled into a bank of fast-chargers near Terre Haute, Indiana, to plug in. As his car powered up, he peeked at nearby chargers. One in particular stood out.

Instead of the businesslike welcome screen displayed on the other Electrify America units, this one featured a picture of President Biden pointing his finger, with an “I did that!” caption. It was the same meme the president’s critics started slapping on gas pumps as prices soared last year, cloned 20 times across the screen. 

“It was, unfortunately, not terribly surprising,” Malcolm said of the hack, which he stumbled upon last fall. Such shenanigans are increasingly common. At the beginning of the war in Ukraine, hackers tweaked charging stations along the Moscow–Saint Petersburg motorway in Russia to greet users with anti-Putin messages. Around the same time, cyber vandals in England programmed public chargers to broadcast pornography. Just this year, the hosts of YouTube channel The Kilowatts tweeted a video showing it was possible to take control of an Electrify America station’s operating system. 

While such breaches have so far remained relatively innocuous, cybersecurity experts say the consequences would be far more severe at the hands of truly nefarious miscreants. As companies, governments and consumers sprint to install more chargers, the risks could only grow.

In recent years, security researchers and white-hat hackers have identified sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids. Given the dangers, everyone from device manufacturers to the Biden administration is rushing to fortify these increasingly common machines and establish security standards.

“This is a major problem,” said Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”

Chinks in EV charger security aren’t hard to find. Johnson and his colleagues summarized known shortcomings in a paper published last fall in the journal Energies. They found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate [Wi-Fi] networks to a breach.” Another study, led by Concordia University and published last year in the journal Computers & Security, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely as well as deploy malware.

When British security research firm Pen Test Partners spent 18 months analyzing seven popular EV charger models, it found five had critical flaws. For instance, it identified a software bug in the popular ChargePoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data). A charger sold in the UK by Project EV allowed researchers to overwrite its firmware. 

Such cracks could conceivably permit hackers to access vehicle data or consumers’ credit card information, said Ken Munro, a co-founder of Pen Test Partners. But perhaps the most worrying weakness to him was that, as with the Concordia testing, his team discovered that many of the devices allowed hackers to stop or start charging at will. That could leave frustrated drivers without a full battery when they need one, but it’s the cumulative impacts that could be truly devastating.

A white woman putting a portable charger into her car in front of her home

Cybersecurity experts say one of the best ways to ensure the security of your home EV charger is to keep it disconnected from the internet.

Paul Chinn/San Francisco Chronicle/Getty/Grist

“It’s not about your charger, it’s about everyone’s charger at the same time,” he said. Many home users leave their cars connected to chargers even if they aren’t drawing power. They might, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower. If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize and even bring down entire electricity networks.

“We’ve inadvertently created a weapon that nation-states can use against our power grid,” said Munro. The United States glimpsed what such an attack might look like in 2021 when hackers hijacked Colonial Pipeline and disrupted gasoline supplies nationwide. The attack ended once the company paid millions of dollars in ransom. 

Munro’s top recommendation for consumers is to not connect their home chargers to the internet, which should prevent the exploitation of most vulnerabilities. The bulk of safeguards, however, must come from manufacturers.

“It’s the responsibility of the companies offering these services to make sure they are secure,” said Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, a digital rights nonprofit. “To some degree you have to trust the device you’re plugging into.”

Electrify America declined an interview request. With regard to the issues Malcolm and The Kilowatts documented, spokesperson Octavio Navarro wrote in an email that the incidents were isolated and the fixes were quickly deployed. In a statement, the company said, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.”

Pen Test Partners wrote in its findings that companies were by and large responsive to fixing the vulnerabilities it identified, with ChargePoint and others plugging gaps in less than 24 hours (though one company created a new hole while trying to patch the old one). Project EV did not respond to Pen Test Partners but did eventually implement “strong authentication and authorization.” Experts, however, argue that it’s far past time for the industry to move beyond this whack-a-mole approach to cybersecurity. 

“Everybody knows this is an issue and lots of people are trying to figure out how to best solve it,” said Johnson, adding that he has seen progress. For example, many public EV charging stations have upgraded to more secure methods of transmitting data. But as for a coordinated set of standards, he said, “there’s not much regulation out there.”

There has been some movement toward changing that. The 2021 bipartisan infrastructure law included some $7.5 billion to expand the electric vehicle charging network across the US, and the Biden administration has made cybersecurity part of that initiative. Last fall, the White House convened manufacturers and policymakers to discuss a path toward ensuring that increasingly vital electric vehicle charging hardware is properly protected.

A woman with light brown skin wearing a mask paying for EV charging

Earlier this year, the Federal Highway Administration finalized a rule that will require all states to implement cybersecurity standards for chargers installed under the 2021 infrastructure law.

Santiago Mejia/San Francisco Chronicle/Getty/Grist

“Our critical infrastructure needs to meet a baseline level of security and resilience,” said Harry Krejsa, chief strategist at the White House Office of the National Cyber Director. He also argued that bolstering EV cybersecurity is as much about building trust as it is mitigating risk. Secure systems, he said, “give us the confidence in our next-generation digital foundations to aim higher than we possibly could have otherwise.”

Earlier this year, the Federal Highway Administration finalized a rule requiring states to implement “appropriate” cybersecurity strategies for chargers funded under the infrastructure law. But Johnson says the regulation omits devices installed outside that expansion, not to mention the more than 100,000 units already in place nationwide. Plus, he said, states haven’t offered much detail about what they’ll do. “If you drill down into the state plans, you’ll find that they are actually extremely light on cyber requirements,” he said. “The vast majority that I saw just say they will follow best practices.”

Just what constitutes best practice remains ill-defined. Johnson and his colleagues at Sandia published recommendations for charger manufacturers, and he noted that the National Institute of Standards and Technology is developing a framework for fast-charging that could help shape future regulation. But, ultimately, he would like to see something akin to the 2022 Protecting and Transforming Cyber Health Care Act that’s geared toward electric vehicles.

“Regulation is a way to drive the entire industry to improve their baseline security standards,” he said, pointing to recent laws in other countries as models or starting points for policymakers in the United States. Last year, for instance, the United Kingdom rolled out a host of requirements for EV chargers, such as enhanced encryption and authentication standards, tamper detection alerts, and randomized delay functionality. 

The latter means that a charger must be able to turn on and off with a random time delay of up to 10 minutes. That would mitigate the impact of all the chargers in an area coming online simultaneously after a power outage or hack. “You don’t get that spike, which is great,” said Munro. “It removes the threat from the power grid.”

Johnson is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can’t imagine [stricter standards] won’t happen. It’s just taking a long time,” he said. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement. 

“It’s scary stuff,” he said, “but it shouldn’t be fearmongering.”

More Mother Jones reporting on Climate Desk

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate