The automobile industry is electrifying. With an expected market cap of $457B in 2023, the EV (electronic vehicle) market is expected to nearly double by 2027 with expected vehicle sales of 16 million per year.
To cater to the growing need for charging stations and a seamless experience for EV owners, there has been an exponential increase in EV charging station applications. There are end-user apps that locate stations, payment apps for charging car batteries, end-point apps that help drivers monitor and manage their electricity consumption and enterprise-level apps for managing charging station fleets and charging grids located at commercial and residential buildings.
A Matrix Of Endpoint Devices And Applications
EV charging applications are vulnerable to many cybersecurity risks. They attract a slew of malicious actors, including terrorist or criminal groups attempting to physically damage the EV charging station and the vehicle. Also, malicious hackers try to make ill-gotten profits by stealing money, electricity or personal records.
The problem is that the EV charging chain is highly susceptible to data breaches, financial losses and safety risks. And, just like any young market, it still lacks the awareness and regulations to properly protect itself.
Applications that connect to endpoint charging stations are susceptible to various types of cyber-attacks – ATOs (account takeovers), MITM (man-in-the-middle), supply chain attacks, API abuse, client-and server-side request forgeries, XSS (cross-site scripting), and many more.
Technology Comes First. Regulations Drag Behind
In contrast to banks, financial services and travel and e-commerce industries in which regulators require applications to implement cybersecurity solutions like, for instance, a WAF (web application firewall), the EV charging industry is still undergoing its initial regulatory steps. Currently the regulations and standards for the EV charging industry — such as the ISO 15118 and SAE J3061 — simply guide the security measures that EV charging companies should consider to protect their systems and customer data from cyber-attacks. In other words, there aren’t demands placed on them and enforcement to ensure certain cybersecurity tools are in use.
Common Cybersecurity Risks To EV Charging Applications
Malware and Viruses
Both malware and viruses can be introduced into an EV charging application through infected third-party services within the EV charging station supply chain, sophisticated bot attacks and injections. They can gain access through a compromised or infected end-user device, a car infotainment computer or a single, standalone outdoor charging station. All can lead to unauthorized access to the charging infrastructure, data theft or damage to the application.
Lack of Encryption
Without the proper encryption of data transmitted between the EV charging application and the charging station, user data can be intercepted and compromised.
Weak authentication mechanisms can allow unauthorized users to access the EV charging application and charging infrastructure. This leads to misuse, data theft or damage to the application.
EV charging applications collect and store sensitive user data, such as location data and personal data, including credit card information. Failure to properly secure this data can lead to privacy violations, identity theft and financial fraud.
Supply Chain Risks
The EV charging application supply chain is complex and involves several components and vendors. Failure to properly vet and secure these components and vendors can lead to vulnerabilities in applications and the infrastructure.
Examples of EV Charging Application Cyber-Attacks
The following are examples of specific cyber-attacks that EV charging applications are more susceptible to than with other types of applications. These attacks are launched through the abuse of API connections, the exploitation of known vulnerabilities related to the application or via third-party platforms. In some of these attacks the perpetrators use sophisticated, human-like bots that, in addition to other capabilities, can get through CAPTCHAs.
Rogue EV Charging Stations
EV charging stations can be hacked or tampered with to steal user data or damage vehicles. This can be done by modifying the firmware or by physically connecting a device to the charging station. Once a rogue charging station is connected to the network, it can be used to launch additional attacks.
EV charging applications typically include billing and payment processing. Malicious actors exploit vulnerabilities in the billing process to commit fraud, doing so by launching bots to create fake charging sessions or charge excessive fees to unsuspecting users.
Location spoofing involves tricking the EV charging application into erroneously believing the unsuspecting user is at another location. This can be used to evade location-based pricing or gain access to charging stations that are restricted to certain locations.
In a denial-of-service (DoS) attack, the EV charging application is overwhelmed due to traffic on the underlying network. It causes the application to become unavailable or unusable. DoS attacks can disrupt the charging infrastructure and/or extort money from the application provider.
In an injection attack, malicious scripts are injected into user input fields to manipulate the database and access sensitive data. EV charging applications using databases to store user data or session information are vulnerable to injection attacks.
Cross-Site Scripting (XSS) Attacks
XSS attacks involve injecting malicious scripts into web pages that are viewed by other users. EV charging applications that allow user-generated content or have input fields that are not properly validated are vulnerable to XSS attacks.
Cross-Site Request Forgery (CSRF) Attacks
CSRF attacks involve tricking users into unknowingly performing actions on behalf of an attacker. For example, this could mean submitting a form or transferring funds. EV charging applications relying on cookies or session tokens to authenticate users are vulnerable to CSRF attacks.
Server-Side Request Forgery (SSRF) Attacks
An SSRF attack occurs when an attacker tricks the EV charging application server by sending a malicious request to access a resource on a different server that is not supposed to be publicly accessible. This allows the attacker to bypass authentication and gain unauthorized access to sensitive information or control the charging station.
EV Charging Application Attacks — More Vehicles Means More Attacks
To properly protect EV charging applications and infrastructure, EV charging application developers can implement several countermeasures; these include input validation and sanitization, enforcement of the whitelisting of approved resources and limiting the scope of requests that can be made by the application. EV charging companies should also consider implementing a range of cybersecurity tools and measures to protect against various types of application cyber-attacks. These tools include WAFs, bot managers, API and DDoS protection tools, client-side protection for monitoring application supply chains, intrusion detection and prevention systems, encryption and access controls. The specific tools and measures used may vary depending on the organization’s specific needs and risks. EV charging companies must also take proactive measures and conduct regular security testing and vulnerability assessments to help identify and remediate vulnerabilities before they are exploited by malicious, ill-intended players.
Your Next Best Step
Regardless of the type of attack your organization needs protection against, the cybersecurity professionals at Radware have been there, done that. We have years of empirical experience developing some of the leading application protection solutions in the market and keeping organizations of all sizes and from an array of industries protected against cyber threats. We can do the same for your organization. You can reach us here. We’d love to hear from you.