As Cyberattacks Ramp Up, Electric Vehicles Are Vulnerable


  • Cybersecurity firm Upstream (pictured above monitoring cyberattacks) said there were 295 cybersecurity incidents in the automotive and mobility space in 2023.
  • “The risk is that, unlike a data leak or a bricked phone or laptop, even a minor car hack can be hugely disruptive to people’s lives,” analyst Michael Austin said.
  • Britain’s Royal United Services Institute (RUSI) think tank said “the proliferation of EV charging stations and related devices being connected to the grid is widening the attack surface.”

As we enter the age of the software-defined automobile, especially those with electric drivetrains, we’re facing unprecedented risk from cyberattacks, say a wide coterie of experts. According to the Israel-based Upstream firm, from 2019 to 2023 disclosed cybersecurity incidents in the automotive and mobility space increased by more than 50%, with 295 such occurrences in 2023.

Some 64% of these attacks were executed by “bad hat actors” with malevolent intent, the report said. And 65% of deep and dark web cyber activities last year “had the potential to impact thousands to millions of mobility assets.”

Shira Sarid-Hausirer, vice president of marketing at Upstream, which has an office in Ann Arbor, Michigan, said attacks could potentially cost automakers millions of dollars.

“The smarter a vehicle, the more vulnerable it is,” she said. “A single incident could cause a lot of damage to an OEM. Over-the-air updates could fix the vulnerability, but that would cost millions, too. The vast majority of these assaults are from non-governmental sources, folks trying to make money. Terrorism isn’t a dominating motivation.”

Michael Austin, senior research analyst for EVs and mobility at Guidehouse Insights, said the overall cybersecurity threat underlies how automakers need to adapt as cars become more connected.

“I think they’re aware of it and design systems to mitigate the dangers, but the threat is real,” Austin said. “And the risk is that, unlike a data leak or a bricked phone or laptop, even a minor car hack can be hugely disruptive to people’s lives.”

a group of people in front of a large screen for upstream cybersecurity monitoring in ann arbor michigan


Upstream cybersecurity monitoring in Ann Arbor, Michigan.

An irony is that artificial intelligence cuts both ways when automotive cybersecurity is at issue. “AI has been an increasingly popular topic on the dark web, and the bad actors are learning from it,” said Sarid-Hausirer. “But it can also be used positively to investigate alerts and perform triage.”

For EVs, the connected charging network is a target. Last year, the National Institute of Standards and Technology (NIST) prepared a draft guidance that called on companies deploying fast chargers to secure their digital payment systems.

The government’s report said that in 2023, the US had more than 48,000 public charging stations, and they “connect and communicate with cloud providers and third-party vendors for EVSE location information, billing and other services.”

In 2021, Ukrainian hackers broke into Russia’s biggest EV charging network.

And that’s a vulnerability, along with the utilities that provide the power. The interface between the EV and the charging station via the cloud “presents a potential attack surface for malicious actors to cause damage,” NIST said.

A 2023 paper on cybersecurity risks notes that because a public charging station “is connected into the grid and takes the necessary power from it, it poses a significant threat to the reliability and safety of the power supply.”

The cyberattacks are not just theoretical. Video shows a hacker freely manipulating an Electrify America (EA). station. Octavio Navarro, a technology spokesman for EA, told Autoweek, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.

“That video is from January of 2023 and was an isolated incident resulting in unauthorized access at the charger level. Access was limited to the charger, and did not, and could not, extend to the network as such. We took immediate steps to address the situation. The access point was closed and secured immediately.”

As WardsAuto reported, in 2022 the charging network on the Isle of Wight in the UK was penetrated to the extent that the chargers’ screens displayed pornography. And in 2021, Ukrainian hackers broke into Russia’s biggest EV charging network and claimed to have stolen 900 gigabytes of data from it.

Britain’s Royal United Services Institute (RUSI) think tank, engaged in security research, said “the proliferation of EV charging stations and related devices being connected to the grid is widening the attack surface.”

person charging a ford lightning


Does EV charging represent an invitation to hackers?

It’s not all EV charging. In 2023 Ferrari said its Italian subsidiary Ferrari SPA was contacted by a threat actor with a ransom demand “related to certain client contact details.” The company said then, “As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.”

According to Automotive News Europe, “Ferrari plans to make 80% of its cars battery electric-powered by 2030. These EV offerings are likely to become even more software-dependent and Internet-connected in the coming years, possibly providing more avenues for cyberattacks.”

Sandia National Laboratories raised concerns about cyberattacks through the charging network in 2022. Its report noted that the complexity and size of charging connections raises concerns “that bad cyber actors could use insecure chargers as an unauthorized access point to abuse charging equipment, vehicles, buildings, or grid resources.

Auto-ISAC is an OEM-driven effort “to analyze intelligence about emerging cybersecurity risks.”

Each of these systems represents a set of interconnected attack vectors. EVs, for example, interface with dealerships, mobile phones, navigation, mapping, telemetry, entertainment, vehicle-based web browsers, other vehicles, driver assist systems, over-the-air software updates, and more.”

Sandia’s hands-on investigation was thorough. Multiple trap-door entry points were found, with fairly technical explanations: “The processes were running as root, and stored passwords could be cracked ‘in a reasonable amount of time’ because of weak hashing,” the report said.

These and other warnings led automakers to band together. “An attack on one is an attack on all,” said the Automotive Information Sharing and Analysis Center (Auto-ISAC). It’s a manufacturer-driven effort “to share and analyze intelligence about emerging cybersecurity risks to the vehicle, and to collectively enhance vehicle cybersecurity capabilities across the global automotive industry.”

Auto-ISAC has developed a series of best practices for automakers to deal with attacks. “Proactive cybersecurity through the detection of threats, vulnerabilities and incidents empowers automakers to mitigate associated risk and consequences,” the organization said.

“Threat detection processes raise awareness of suspicious activity, enabling proactive remediation and recovery activities.” Auto-ISAC members include BMW, Ford, GM, Honda, Hyundai/Kia, Lucid, Mercedes-Benz, Mazda, Stellantis, Toyota, Subaru, and Volvo.

Progress is being made, the group said. Faye Francy, Auto-ISAC’s executive director, told Autoweek in reference to the Upstream report, While the statistics may paint a sobering picture of increased cyberattacks, it’s crucial to recognize the proactive measures being taken by automakers to mitigate these risks.

By leveraging the collective intelligence and vigilance fostered by initiatives like the Auto-ISAC, the industry is steadfast in its commitment to safeguarding vehicles and ensuring the safety and security of consumers worldwide.”

The Alliance for Automotive Innovation, representing carmakers, said cybersecurity is a top priority, with vulnerabilities that can come in through the Internet, through wireless connectivity and charging ports.

“Because these are items outside the control of the auto industry,” the Alliance said, “we’ve been supportive of a multi-stakeholder, public/private approach to EV charging that outlines clear cybersecurity roles and responsibilities for charging operators to protect against cyber threats.”

The automakers’ group said federal agencies, state transportation agencies, and the organizations developing standards all have to be at the table to “ensure EV charging is cybersecure.”

Has your car or other personal device been successfully overtaken by hackers? Please share your experience below.

Headshot of Jim Motavalli

Jim Motavalli is an auto writer and author (nine books) who contributes to Autoweek and Barron’s Penta. He has written two books on electric cars, Forward Drive (2000) and High Voltage (2010), and hosts the Plugging In podcast.  

Motavalli’s writing has appeared in the New York Times, CBS Moneywatch, Car Talk at NPR, Forbes, US News and World Report, Sierra Magazine, Audubon, and many more. In his spare time, he reviews books and jazz.


Source link