Cyberattacks at EV Charging Stations Are on the Rise
Gallery
Electric vehicles (EVs) are here to stay as an essential piece of the puzzle towards achieving carbon neutrality and limiting human effects on the environment. Based on Canadian federal government estimates, the number of EVs on the road is expected to grow from the current 480,000 to 5 million by 2030, eventually reaching 21 million in 2040. Development in the charging infrastructure is paralleling the potential growth of plug-in gas-electric hybrids (PHEVs) or battery-only vehicles on Canadian roads. This will require about 679,000 public charging ports across the country.
But before EV fans get too excited about a zero-emissions driving utopia, one trend that needs to be addressed sooner rather than later is the rise of cyberattacks at EV charging stations.
This article explores why these attacks are happening, how they can affect EV drivers, and what the industry can do to prevent this ongoing threat.
Cybersecurity Attacks Are Becoming More Common
According to a new report from Upstream, a U.S.-based automotive cybersecurity company, cyberattacks targeting automotive and smart mobility products rose 39 per cent in 2024 compared to a year earlier. This translates to 34 monthly incidents across Europe, the U.S., and China.
Although real-world attacks against individual EVs are relatively rare, they are vulnerable to malicious cyberattacks. These can range from remote hijacking and hacked EV chargers to malware injections.
While many EVs are charged at home or the office using Level 1 and 2 slow chargers, faster Level 3 chargers are typically available only at public charging stations. In Canada last year, researchers from Concordia University and Hydro-Quebec Research Institute, along with George Mason University in the U.S., simulated attacks on the power grid using EV charging systems, demonstrating the possibility and seriousness of cyberattacks and the impact on drivers connected to the power grid and causing "huge" financial losses.
Why Are Cyberattacks Happening?
Cyberattacks are on the rise mainly due to the interconnectedness of our daily digital lives. As our smartphones, homes, apps, and cars "talk" to each other, the likelihood of an attack grows. The motivation for hackers is plentiful, ranging from stealing personal information, fraud (sending EV owners to fake payment pages), and demanding ransom payments to release control of a charging system or access to vehicle data.
According to FLO, one of North America's largest EV charging networks, these cyber threats are not just a public EV charging problem. Oil and gas facilities and pipelines have also been hit with cyberattacks, raising the broader issue about the security of all our internet-connected devices. The risks to the EV charging network — including the charger-to-vehicle connection and the connection between the charger and the electrical grid — affect the chargers' functionality and, ultimately, the EV owner’s experience.
Hackers aren't only targeting EVs. The demand for drivers to be “connected” has made all modern cars vulnerable to data privacy and security issues.
The latest connected cars use many onboard electronic control modules (ECMs) for various vehicle features, like steering, climate control, infotainment, real-time traffic management for navigation, enhanced vehicle diagnostics for maintenance, and regular over-the-air (OTA) software updates and security patches. Some more advanced connected car features can include remote access to vehicle functions (like parking), entertainment streaming, and integration with smart home devices, such as garage door access, lighting, or security systems.
The cost of these new automotive connected services is that whenever your car sends data over a network, it is a potential opportunity for a hacker.
How Do Automakers Protect Their Customers from a Cyberattack?
As the availability of EVs and connected cars expands, stronger protections, particularly in EV charging networks, are needed to mitigate hackers. Mozilla found in 2023 that all 25 automotive brands it evaluated collected too much owner data, did not give drivers control over their data, and could share or sell data too widely. Another industry challenge: if an automaker admitted to being the target of a cyberattack, regulators might ask for immediate action, which could upset the launch of product timelines and require costly development, not fixes.
If automakers want to build trust with their customers so they feel confident that charging an EV or driving a connected car is safe, experts recommend a few steps they can take to protect their customers from future cyberattacks.
First, to ensure driver and passenger safety, EV manufacturers must implement a security-first design approach across the hardware, software (including firmware and applications), and operational protocols for EVs using public charging infrastructure. Next, OTA updates must also be secured. Finally, automotive manufacturers must rigorously test for and eliminate security vulnerabilities before their EVs get into the hands of drivers.
Many automakers work with charging infrastructure companies and industry groups to get around this public exposure and improve security. For instance, BMW told Automotive News Europe that “ensuring customer payment data is adequately secured for charging transactions is a shared responsibility between automakers, electric mobility service providers and charge point operators.”
How Do I Know a Cyberattack Has Hit My EV and What Should I Do?
The goal of any cyber hacker is to gain access without being detected. But if your EV displays signs of unusual behaviour, it could mean it has been attacked.
For example, your car's connected features (such as navigation and entertainment systems) could be accessed or altered without your permission. Other indicators may include changes to your vehicle's connected account passwords, being locked out of your account, or receiving unusual emails or messages from your car's connected accounts. Suppose your vehicle's lights are turning on or off randomly, the radio is malfunctioning, or if your car locks or unlocks unexpectedly, these could be signs that a hacker is gaining access to your car's online systems.
A cyberattack on your EV could also compromise its performance and driving capabilities. Sudden acceleration or braking, if your car won't start, or the engine won't run, could also be signs of unauthorized access to connected features.
If you suspect a cyberattack, first contact your car manufacturer or a reputable automotive technician to report the problems. Then, check your vehicle's security settings and ensure that they are up to date and properly configured. You could also change the passwords for any connected accounts associated with your vehicle, and it would be wise to check on banking or credit cards associated with your car to see if there are any unauthorized or suspicious transactions. Finally, be cautious about using third-party software or devices in your car's connected systems.
