New Delhi Imagine your electric vehicle’s charge running low. The vehicle’s on-board infotainment system repository locates a nearby charging station and navigates you there for a quick top-up. While this perfect world for electric cars, two-wheelers and commercial vehicles seems within reach, a new threat looms: compromised charging infrastructure software that could abort charging sessions.
This scenario materialised with Brokenwire, a novel attack targeting the worldwide Combined Charging System (CCS). The vulnerability could leave motorists stranded with significantly discharged batteries and disrupt commercial EV fleets. More concerning, if mounted with sufficient intensity, such attacks could destabilise a region’s power grid.
“Public EV charging stations, especially those providing fast-charging services, present potential vulnerabilities. Researchers have demonstrated attacks like Brokenwire, which uses radio signals to disrupt the charging process,” says Harish Kumar GS, head of sales, India and SAARC for Check Point Software Technologies, a cybersecurity company.
Software forms the foundation of EV charging infrastructure, managing the charging process, handling user data, processing payments and enabling remote monitoring. Like mobile phones, computers and payment systems, EV stations have become targets for cyber attacks.
This vulnerability requires urgent attention as EV sales accelerate in India and globally. Official figures from Vaahan show that through July this year, 1,075,060 electric vehicles were sold in India. E-scooters and e-bikes dominated with 634,770 units, while electric cars (56,207) and commercial vehicles comprised the remainder.
As sales momentum builds, charging infrastructure expands across homes, offices, public roads and motorways. The NITI Aayog’s e-amrit platform reports 934 active public charging stations in India, many with multiple chargers. This growth increasingly exposes India to cyber risks.
Kumar elaborates, “In another high-profile incident, hackers exploited infotainment systems to push explicit content onto charging station screens, exposing users to inappropriate material and underscoring the weak security posture of many of these systems.”
Past incidents include hackers displaying various messages: a photo of US President Joe Biden pointing at rising petrol prices captioned “I did that”, anti-Putin messages on the Moscow-St Petersburg motorway, and pornographic content on public chargers in England. The perpetrators remained unidentified.
British technology company Farnell outlines multiple potential cyber attacks on chargers. Web-based vulnerabilities via Wi-Fi, Bluetooth or wired interfaces can trigger denial of service attacks, compromise control commands and launch spoofing attacks, potentially breaching user privacy.
Exploits may target companion smartphone apps or human-machine interfaces, skimming login data when users scan QR codes to initiate charging sessions.
“These attacks may derail the entire EV infrastructure, extend to the power grid, and compromise the charging process’s safety and security. Consequently, it is essential to prioritise hardware and software security for smart charging within the broader cyber-physical system,” the company explains.
While incidents involving EV charging infrastructure have remained relatively harmless thus far, this could change. “Cybersecurity must be an integral part of the design and implementation of every component within the EV ecosystem,” says Check Point Software’s Kumar.
This necessitates adopting a comprehensive security approach from the outset, with API (application programming interface) security defining permissible software for charging infrastructure and EVs.
Cybersecurity company Irdeto now manages the V2G root Certificate Authority (CA) in North America and recently assumed control of the CharIN public key infrastructure in Europe. Both standards ensure secure authentication and authorisation of vehicles, charging stations and accompanying subscriptions.
As manufacturers and charging infrastructure companies align on security standards, users anticipate better protection against fraud and cyberattacks.