How Vulnerable Are EVs to Hackers?

As more people adopt electric vehicles (EVs), the threat of potential cybersecurity incidents looms large. Due to its inherent reliance on software and connectivity, the EV ecosystem may well be the next playground for hackers. Recent whitehat and malicious hacking attacks underscore the need for a robust security framework for off-road and on-road infrastructure.

Understanding EV Vulnerabilities

The last few years have seen an uptick in the frequency and severity of automotive cyberattacks. Since 2021, the number of publicly disclosed cybersecurity incidents has risen steadily, with 295 occurrences recorded in 2023. Recent statistics show 50% of these events have had a high or massive impact, meaning the attacks affected millions of mobility assets.

Understanding the factors that enabled these incidents is essential to deploying adequate mitigation measures. Cyber risks facing electric vehicles often come from susceptibilities woven into the fabric of EV systems that dedicated hackers can exploit to establish unauthorized access. Examples include:

  • On-board diagnostics (OBD-II) port exploitation: The OBD monitors engine performance and other essential systems, automatically reporting issues when detected. Hackers can take advantage of its real-time monitoring and external communications feature to manipulate vehicle data or control systems.
  • Bluetooth and Wi-Fi attacks: An EV’s infotainment system presents a major gateway for cyberattacks. In 2023, white hat hackers at the Pwn2Own hacking conference took less than two minutes to gain access to a Tesla Model 3’s critical systems through its Bluetooth.
  • Key fob spoofing: System vulnerabilities can allow threat actors to intercept, clone or amplify the signal between the EV and the fob. A common attack involves jamming the signal to prevent the owner from locking their vehicle, exposing it to theft.
  • Sensor input manipulation: Hackers can tamper with the input being fed to EV perception systems — such as cameras and LiDAR sensors — providing false data to trick owners.
  • Malicious software updates: Seasoned cybercriminals can exploit vulnerabilities in the software update process to inject malware into the vehicle’s firmware.

Phishing Attacks

These events involve tricking EV owners into granting vehicle access or revealing sensitive data that compromises their identities. For example, hackers can impersonate EV technicians or customer service reps and request specific information about the car.

Conversely, they can replicate automakers’ websites to capture user data from people looking to rent or purchase an EV. In other scenarios, threat actors create fake EV-related apps that, when installed, steal the owner’s login credentials and other protected information.

Charging Station Vulnerabilities

Unlike gas stations, public EV charging terminals employ an unattended self-service model, meaning these facilities may be in remote locations without physical security. With over 138,000 charging outlets nationwide, hackers have no shortage of potential attack points.

Criminals can walk to these areas to compromise the charger’s operating computers and tamper with everything from the vehicle’s battery management system to the driver’s phone and even the payment gateway. In 2023, the hosts of the YouTube channel The Kilowatts shared a video exploiting this vulnerability by taking control of an Electrify America station’s operating system.

How Easy Is It to Hack Electric Cars?

While real-world EV cyberattacks are rare, ethical hackers have provided enough demonstrations to warrant a renewed focus on implementing more robust security in EVs and chargers. A slew of 14 successful hack attempts in Pwn2Own Automotive 2024 — including command injection, stack-based buffer overflow and 3-bug chain attacks — are a clear sign that the risk landscape is evolving fast. The time it took to carry out these exploitations also presents a source of worry, especially since they all occurred on day one of the event.

Are EVs Still Worth Considering?

In today’s digital age — where one cyber attack occurs roughly every 39 seconds — security-conscious consumers have more than cost and environmental considerations when vehicle shopping. Despite the legitimacy of these concerns, the number of people buying EVs continues to soar. There are two main reasons for this.

First, electrifying the transport industry is a crucial imperative of the U.S. government, which continues to implement favorable policies toward massive adoption. Several states have already unveiled plans to phase out gas-powered cars by 2035, while tax credits and related rebates dominate the federal scene.

Secondly, EV vulnerabilities are receiving the attention required from policymakers and manufacturers to mitigate damage. For example, the Department of Energy allocated $5 million to address cybersecurity issues in EV charging infrastructure in 2023. This funding is for projects that will provide industry-scale innovative solutions.

EV manufacturers are implementing a security-first design approach that spans hardware, firmware, and operational protocols. This includes end-to-end encryption for vehicle-to-everything and over-the-air communications. Advanced threat detection tools leveraging AI and machine learning algorithms are increasingly crucial in enhancing automotive cybersecurity resilience. For these reasons — plus the fact that they’re generally better for the planet’s sustainability — EVs are still worth considering.

Drive Safer EVs

Electric vehicles are vulnerable to malicious cyberattacks that can impact operations and expose their owners’ personal information. Addressing these risks requires a combined effort by policymakers and manufacturers to enhance security measures and mitigate exposure. EVs represent the next generation of road transport modes and the threat of cybersecurity events will not stop its march.