Steve Rogerson talks with Andy Davis from NCC about cyber-security problems with electric vehicle chargers.

To achieve the penetration of electric vehicles that governments and car makers want, the speed at which the charging infrastructure is rolled out needs to increase, and by quite a bit. There has to be more public and more at-home charge points so drivers feel comfortable they will reach their destination without running out of fuel.

The problem with such a speedy rollout though is corners could be cut and cause problems not just with safety but also security. We have already seen in Russia EV charging stations being hacked and political slogans appearing on the screen. While insulting Russian president Vladimir Putin may put a smile on some faces, it does show that these stations are vulnerable to more serious attacks, such as hackers gaining access to people’s personal details including credit-card information or even a mischievous hacker turning off all the EV charging stations to enjoy the chaos that would cause.

I was chatting this week with Andy Davis, head of the transport practice at cyber-security company NCC Group , about this very problem and whether this was a real risk or just scaremongering. His views were worrying.

He said while this had not turned into a problem yet, there were cyber-security issues that needed addressing. There are, after all, lots of communications going on, between the car and the charging point, between the charging point and the infrastructure, between the charging point and the credit-card company and so on. Even with at-home chargers, there is a possible route into smart-home systems.

“Malicious actors could get access to bank details,” said Andy.

And don’t forget the amount of general data cars can contain these days. A recent report highlighted the information being collected by Toyota cars, for example.

This data gathering could catch the eye of criminals but it could also be used for targeted adverts at the charge points themselves, something with which not everybody will be comfortable.

“There is the prospect of the charge point provider doing some ecommerce or adverts beyond just charging,” said Andy.

This kind of data harvesting and connectivity potentially opens up the charging points to danger. Researchers have shown that charging points can be hacked, with at-home chargers often being more vulnerable than public ones, but even they are not safe.

“One scenario is putting some malicious software on a charging point and, when the EVs connect, it could infect them with a virus or malware,” said Andy. “This type of watering-hole attack is theoretical at this point but has worked with standard PCs, so could possibly work with the computer in a charging point.”

This danger increases as more charging points are installed. At the moment, most are in fairly public places such as supermarket car parks and petrol station forecourts where it could be hard for a hacker to spend the time needed to implant the software. But the call is for these charging points to be installed in more out-of-the-way places.

“Here you need the basic stuff,” said Andy. “CCTV cameras could point at the charge point as happens with ATMs. There can be tamper alarms. The software could be written to spot anomalies.”

However, these charge points are connected to the internet or a private network and that means hackers can get in without physical access.

“The type of network they are connected to will determine how vulnerable they are to attack,” said Andy.

Another problem is genuine consumers accessing the charge points. How do you identify yourself to a charger?

“We have seen some malicious actors exploiting charge points,” said Andy. “In one example, the charge points were attached to lampposts and a QR code was on the post for users to download the app. But in London there was a case of people sticking a different QR code on top of the existing one and sending people to a fake web site. Consumers like QR codes because they are easy to use, and people trust them. There needs to be some education to stop people just pointing their phones at QR codes. They should check where they are being sent. Better still, go the app store and download from there.”

On the good side, the manufacturers of charging points are aware of all these problems and the high competition in the market should put pressure on these companies to get the cyber security right. For example, Andy said there were around sixty different charging networks just in the UK.

“It is very competitive, and vulnerable networks won’t last long in a crowded market,” he said.

Let us hope he is right. There are enough problems convincing many consumers to move to electric vehicles anyway without a serious loss of confidence in the security of charging points.