In March 2022, concurrent with Tesla offering free charging of Electrical Vehicles in Ukraine, to help spur residents flee the war-ravaged country, came the announcement of EV stations in Moscow being hacked and disabled. A few years earlier in 2020, engineers stage-managed testing of cyber hacking of EV stations. (1). While it was not disclosed as to how many vehicles were affected in Moscow because of owners being unable to charge their vehicles, news reports have it that the stations needed to be disconnected from the EV grid.
Sign of the times
The rise in Automotive Hacking does not come as a surprise considering the prolific increase in the demand for and the sales of Electric Vehicles. Against the backdrop of climate change and the ambitious goals set for phasing out internal combustion engine vehicles, sales of EVs have shown a phenomenal increase. Estimates show that some 5.6 million EVs are on the road today, a jump of over 60% from 2018 when there were just 3.4 million. With China leading the world in terms of EV production in 2023 with 13 million EVs (2), the number of vehicles on the road in the US alone is estimated to jump to 25 million by 2030 (3).
Commensurate with the rise in the number of EVs, is the rise in automotive or car hijacking, primarily involving hacking of backend servers. US Cybersecurity (4) puts the figure of car hijackings of servers at 40% of all auto cybersecurity issues. Costs of these hijackings too are on the increase. US Cybersecurity says, studies show automakers could lose approximately $1.1 billion for a single attack, with the entire automotive industry estimated to collectively lose up to $24 billion before 2023. Fleet operators, Tier 1 suppliers, and car-sharing companies are expected to be worst hit.
What’s in the box
EVs comprise a:
- Lithium — ION Battery,
- a power inverter (that converts DC energy supplied by the grid/battery to AC for use by the vehicle and AC energy from ‘regenerative braking’ to DC to store in the battery for future use or for the grid),
- an on-board charger,
- the electric motor and
- the battery management system (that calculates the amount of energy that will be needed by the EV to function)
- Software defined vehicle that adopts advanced software technology
EVs use Vehicle to Grid (V2G), a smart technology (5) that effectively renders the electrical battery to be just not a tool to power the vehicle, but also a storage cell to give back to the grid unutilized power, as and when desired. Users must be connected to the grid to either ‘charge’ their vehicle or to ‘sell’ their unutilized power. The unutilized power is stored on the grid and used for various purposes.
Prime Candidates
Though arguably not envisaged (despite the testing carried out 2 years ago by engineers), there are quite a few candidates that make the case for precautions with regard to hacking of EVs.
- Commercial Charging Stations: The connection of the EV with the national grid makes EVs and the charging station prime candidates for hacking, as the recent case in Moscow has shown. Shutting down the connectivity with the grid effectively makes the charging station useless and vehicles would not be able to use the station to charge or ‘sell’ their surplus energy. Equally alarming is the identity theft at the commercial stations as a consequence of IDs being copied/stolen and subsequent data breaches. It is reported also that many commercial stations, given the still-evolving state of EVs, use unsecured security protocols (6).
- Home Charging Stations: Like commercial charging stations, home charging stations installed by individuals face the same issue as their bigger cousins. Here, hackers also stand to gain control of the Wi-Fi network and wreak all kinds of damage to the household.
- Mobile App Hacking: As with all other apps, the mobile apps used for charging and interacting with the station, are also candidates for cyber hacking. Researchers found a flaw in the Nissan Leaf companion app in 2016. Similar situations were experienced when a TESLA vehicle was being tested.
- Wi-Fi Misuse: EVs currently offer free Wi-Fi access, allowing hackers an entry point that can be misused and exploited.
- Hacking the central servers: EVs are connected to the central server which allows updates and information to be passed from the server to the vehicles. Hacking the central server would effectively obtain unrestricted control of the vehicles from a variety of standpoints.
- Key fobs: Physical misappropriation of the EVs key fob also creates a situation for identity theft and access to the vehicle’s connectivity with the station
What’s to be done
Experts say that the only way to stop the increasing rate automotive hacking is to adopt a multi-layered security approach, else automobile owners will be swamped by hackers, spawning a new kind of ransomware that targets cars. In reality, a search of the internet now reveals more information on how to hijack a car/automobile than about how to negate automobile security threats.
A multi-layered security approach that adopts a high level of encryption to protect owner data, backed up by high levels of awareness and caution when plying the vehicle remains the only way to keep cyber threats at bay. The latter would include restrictive use of GPS, keeping automobile software updated, using a VPN connection and, avoiding use of public Wi-Fi hotspots.
The Road Ahead
Juan Webb, a Managing Director from Kugler Maag Cie warns, “There are many places throughout the automotive chain where attacks may happen ranging from manufacturing to dealerships to offboard servers. Wherever the weakest link exists that’s the cheapest to penetrate with the greatest financial implications, that’s where the hackers will attack.”(7)
With every subsequent year showing a doubling in the rate of automobile hacking, and the year-on-year addition of new features including driverless cars, Bluetooth technologies, keyless operations, networked vehicle, proliferation of mobile apps, etc all of which use the internet, do not augur well for automotive security. The dangers of hacking are considered even more serious as they can involve the life of a car owner, when such hacking is effected at the time of operating the vehicle. And with the automotive industry set to continue experiencing phenomenal growth, the road ahead looks bleak, unless a multi-pronged approach that includes manufacturers’ technological prudence and owner caution is practiced continually.
For more information on Aurora’s host of cybersecurity solutions that can help combat this emerging threat, contact us or email sales@aurorait.com or call +1 888 282 0696
References :
- Engineers hack electric vehicle charging to demonstrate cybersecurity vulnerabilities
- Statista : Forecasted EV production in APAC region
- Evadoption : EV Sales Forecasts
- US Cybersecuirty – Automotive Industry
- EVConnect : Vehicle to Grid Technology
- Pouted : Cyber Security Issues of Internet with Electric Vehicles (pouted.com)
- Forbes: Cybersecurity Risks: Protecting The Electric And Software-Defined Car