The vast IoT world presents new solutions every day that span various sectors. Among these certainly the automotive sector which is investing huge resources to offer the market increasingly effective solutions. Due to the need to protect the environment and combat climate change, the automotive industry is increasingly focusing on development of electric mobility. It produces substantial transformations especially in terms of energy supply. The change takes place in terms of refueling, with the creation of more and more points to be used for recharging vehicles.
Electric mobility: risks and advice on charging stations
According to the quarterly report of the Motus-e association, in Italy, at the end of March 2023, we reached 41,173 charging points for electric cars, 22,107 columns and 15,262 locations. If on the one hand these numbers are the sign of a thriving and promising sector, on the other hand they cannot fail to arouse fears on the IT security front. Every connected object, every endpoint of the IoT ecosystem is an entry door into the system for cybercriminals.
The biggest risks
Having control of a charging station means being able to hack the user’s account. From there, enter the app with which he manages the refueling of his vehicle. And he doesn’t stop there. Having access to the app means being on your smartphone and being able to access all your data. The hypothesis that the user could find himself the victim of a ransomware is by no means remote. And being asked for a ransom to return to the availability of the device and its contents.
However, it is not only the individual user who is at risk. The other device that can be hacked with an input from the pillar is the car itself. This leaves open the possibility of attacks on an EV manufacturer’s entire fleet, with massive damage. Of course, we must not forget the risk borne by the energy company that guarantees the supply, which can end up with entire supply points blocked by ransomware and a potentially million-dollar ransom request.
The criminal events that an attacker can generate from a column are different:
- charging power theft, resulting in unauthorized free use of the service;
- manipulation of payment systems;
- interruption of the operation of the charging station;
- violation of the vehicle’s digital system, with possible damage to some crucial components (among others, the batteries).
Cyber attacks: charging stations are an easy target
The management of electric car charging infrastructure generates a major cybersecurity problem. An external attack on a bollard can turn into one tool to hit more victims. The individual user, the service management company, the car manufacturer itself, up to the system as a whole, since the column represents an access point to the entire electricity grid.
electric car battery
The dangers associated with the charging system
Recharge payment is a type of transaction that takes place within an integrated system for the collection of amounts. The preliminary operation is the identification of the user at the column through an ID token which often consists of a card (NFC, Near-Field-Communication) associated with a bank account. Payments are usually handled by a specific protocol (Open Charge Point Protocol). It regulates communications between the integrated system and the charging point. This is where the request to the system to identify the user starts; the system accepts and communicates with the top-up point which is thus ready to provide the service.
Much less remote is the risk related to the OCPP protocol (Open Charge Point Protocol), standard for charging stations. It is an open protocol, particularly exposed to Man-in-the-Middle (MitM) attacksduring which the attacker places himself at the center of communication between two entities; in this case the charging station and the integrated system for intercepting the data flow. It is therefore clear the type of danger to which the user’s data are exposed, who through the NFC card enters the coordinates of his bank account in the column.
Another risk that should not be underestimated concerns the possible presence of USB ports on the columns. In this case it becomes possible to connect a removable memory in which to copy the configuration and access data, which allow access to the ID and password for the OCCP server and, possibly, also to the NFC card data of the users, which can be replicated in cloning procedures. Furthermore, the configuration and access data would allow the attacker to disable the column, creating obvious damage to the company that provides the service.
Tips to protect electric cars from cyber attacks
Almost always a system vulnerability is the result of human errors, which can be avoided or at least mitigated by using pure and simple logic, common sense. Here are some practical tips to protect yourself from cyber attacks:
- Upload from safe sources: give preference to domestic or workplace recharging points. If possible, it is advisable to use them since they are endpoints less exposed to attacks than the columns managed by large players, much more attractive subjects for cybercriminals.
- Dialogue with suppliers: the supply chain is, in every area, one of the privileged terrains for attack operations. This is why it is important that both the companies supplying the charging service and the manufacturers of electric vehicles constantly dialogue with their suppliers, informing them of every aspect related to IT risks and sharing any strategies and solutions to protect themselves adequately.
- Make the safest choice: the attacker looks for a vulnerability and will choose the subject that offers him the most. In choosing the energy company where to recharge, it is important to read up and opt for the one that offers the best protection standards.