EV Charging Station Applications – a Growing Cyber Security Risk
The automobile industry is electrifying . With an expected market cap of $457B in 2023, the EV (electronic vehicle) market is expected to nearly double by 2027 with expected vehicle sales of 16 million per year.
To cater to the growing need for charging stations and a seamless experience for EV owners, there has been an exponential increase in EV charging station applications. There are end user apps that locate stations, payment appsfor charging the car batteries, end-point apps that help drivers monitor and manage their electricity consumption and enterprise-level apps for managing charging station fleets and charging grids located at commercial and residential buildings.
A Matrix Of Endpoint Devices And Applications
EV charging applications are vulnerable to many cybersecurity risks. They attract a slew of malicious actors, including terrorist or criminal groups attempting to physically damage the EV charging station an the vehicle. Also, malicious hackers try to make illgotten profits by stealing money, electricity or personal records.
The problem is that the EV charging chain is highly susceptible to data breaches, financial losses and safety risks. And, just like any young market, it still lacks the awareness and regulations to properly protect itself.
Applications that connect to endpoint charging stations are susceptible to various types of ATO (account takeovers), location spoofing, identity spoofing, man in the middle and supply chain attacks, API abuse, and more.and server-side request forgeries, etc.
Technology comes first. Regulations drag behind
In contrast to banks, financial services, travel and e-commerce industries in which regulators require applications to implement cybersecurity solutions —like a WAF (web application firewall), for instance — the EV charging industry is still undergoing its initial regulatory steps. Currently the regulations and standards for the EV charging industry — such as the ISO 15118 and SAE J3061 — simply guide the security measures that EV charging companies should consider to protect their systems and customer data from cyber attacks. In other words, there aren’t demands placed on them and enforcement to ensure certain cybersecurity tools are in use.
Common CyberSecurity Risks To EV Charging Applications
Malware and Viruses
Both malware and viruses can be introduced into an EV charging application through infected 3rd party services within the EV charging station supply chain, sophisticated bot attacks and injections. They can gain access through a compromised or infected end-user device, a car infotainment computer or a single, standalone outdoor charging station. All can lead to unauthorized access to the charging infrastructure, data theft or damage to the application.
Lack of Encryption
Without the proper encryption of data transmitted between the EV charging application and the charging station, user data can be intercepted and compromised.
EV charging stations rely on many internal and external API services for processing payments, locating charging stations, communicating between devices, account and balance management, and more. Failure to properly enforce security polices that validate and sanitize the EV charging app APIs can leave the door open to various bot attacks, injection attacks of malicious code and unauthorized access to sensitive information or even temparing with the charging station funcionatlity.
Weak authentication mechanisms can allow unauthorized users to access the EV charging application and charging infrastructure. This leads to misuse, data theft or damage to the application.
EV charging applications collect and store sensitive user data, such as location data and personal data, including credit card information. Failure to properly secure this data can lead to privacy violations, identity theft and financial fraud.
Supply Chain Risks
The EV charging application(s) supply chain is complex and involves several components and vendors. Failure to properly vet and secure these components and vendors can lead to vulnerabilities in applications and the infrastructure.
Examples of EV Charging Application Cyber Attacks
The following are examples of specific cyber attacks that EV charging applications are more susceptible to than with other types of applications. These attacks are launched through the abuse of API connections the exploitation of known vulnerabilities related to the application or via 3rd party platforms. In some of these attacks theperpetrators use sophisticated, human-like bots that, in addition to other capabilities,, can get through CAPTCHAs.
Rogue EV Charging Stations
EV charging stations can be hacked or tampered with to steal user data or damage vehicles. This can be done by modifying the firmware or by physically connecting a device to the charging station. Once a rogue charging station is connected to the network, it can be used to launch additional attacks.
EV charging applications typically include billing and payment processing. Malicious actors exploit vulnerabilities in the billing process to commit fraud, doing so by launching bots to create fake charging sessions or charge excessive fees to unsuspecting users.
Hackers might use vulnerabilities in third-party JS services embedded in the EV charing app to execute Formjacking attacks in which they would inject a malicious code into the application’s payment form, allowing the attackers to steal credit card information or other sensitive data entered by users. Data leakage could also occur if sensitive user data (such as credit card information, names, addresses, or phone numbers) is exposed through vulnerabilities in third-party services code.
Location spoofing involves tricking the EV charging application into erroneously believing the user is at another location. This can be used to evade location-based pricing or gain access to charging stations that are restricted to certain locations.
In a denial-of-service (DoS) attack, the EV charging application is overwhelmed due to traffic on the underlying network. It causes the application to become unavailable or unusable. DoS attacks can disrupt the charging infrastructure and/or be used to extort money from the application provider.
In an injection attack, malicious scripts are injected into user input fields or via APIs to manipulate the database, steal credit card information and access sensitive data. EV charging applications using databases to store user data or session information are vulnerable to injection attacks.
Cross-Site Scripting (XSS) Attacks
XSS attacks involve injecting malicious scripts into the EV charing app web pages that are viewed by other users. EV charging applications thatallow user-generated content or have input fields that are not properly validated are vulnerable to XSS attacks.
Cross-Site Request Forgery (CSRF) Attacks
CSRF attacks involve tricking users into unknowingly performing actions on behalf of an attacker. For example, this could mean submitting a form or transferring funds. EV charging applications relying on cookies or session tokens to authenticate users are vulnerable to CSRF attacks.
Server-side Request Forgery (SSRF) Attacks
A SSRF attack occurs when an attacker tricks the EV charging application server by sending a malicious request to access a resource on a different server that is not supposed to be publicly accessible. This allows the attacker to bypass authentication and gain unauthorized access to sensitive information or control the charging station.
EV Charging Application Attacks — More Vehicles Means More
To properly protect EV charging applications and infrastructure, EV charging application developers can implement several countermeasures; these include input validation and sanitization, monitoring of anomalous behavior such as spikes in traffic and failed log-in attempts, enforcement of the whitelisting of approved resources blocking of non-relevant Geos, providers and proxy services, and limiting the scope of requests that can be made by the application. EV charging companies should also consider implementing a range of cybersecurity tools and measures to protect against various types of application cyber attacks. These tools include WAFs, bot API and DDoS protection tools, including ones for monitoring application supply chains, intrusion detection and prevention systems, encryption and access controls. The specific tools and measures used may vary depending on the organization’s specific needs and risks. EV charging companies must also take proactive measures and conduct regular security testing and vulnerability assessments to help identify and remediate vulnerabilities before they are exploited by malicious, ill-intended players.
Your Next Best Step
Regardless of the type of attack your organization needs protection against, the cybersecurity professionals at Radware have been there, done that. They have years of empirical experience keeping organizations of all sizes and from an array of industries protected against cyber threats. They can do the same for your organization. Reach them here. They would love to hear from you.