A Russian zero-day exploit purchase site is interested in tools for hacking of Electric Vehicle Charging Stations. This raises a number of questions. Why would anybody want to hack such targets? Also, why would Russian entities (in particular) be interested in such targets? The best answer to these is “good question!”, and let's put politics aside. Let’s explore the potential cybersecurity risks of electric vehicle charging station, assuming the ability of compromising them at a scale, having some kind of tools. It turns out that this is a fascinating security problem!
Zero-day (0day) exploit purchase boutiques exist for some years now. Specifically these are vendors who ask for tools that can typically access certain software like operating systems (Android, iOS, …), instant messengers (iMessage, WhatsApp, Signal, Telegram, …), servers (Apache, etc …), and so on. The’ve got a variety of clients, from private (to test security), to government or military. You get the idea.
A recent analysis describes the new entity, its pricing policy (highly competitive), and the potential rationale due to the geopolitical issues.
I focus on a small fraction. Specifically the entity (OpZero) expresses interest in the acquisition of tools allowing to hack Electric Vehicle Charging Stations (a part of Electric Vehicle Supply Equipment (EVSE)). It is quite a non-standard interest, to a degree. Why would anybody be interested in acquiring tools to exploit vulnerabilities in Electric Vehicle Charging Stations?
Cybersecurity of electric vehicle charging stations
Cybersecurity of Electric Vehicle Charging Stations is naturally important in a future where electric cars are ubiquitous. Assuming a monoculture in charger stations, such vulnerabilities could e.g. take down a lot of charging stations at the same time. It might be imaginable that … big chunk of transportation in a targeted country/region would go standstill, as a result. Let’s not consider the issue of ensuing public outcry/panic (i.e. so a use in: information operation or warfare). Assuming that in the future all vehicles are electric, including firefighters, ambulances, military vehicles, emergency services etc, then you get the idea of attacking such a single point of failure. Let’s also disregard it for now. We are some time from such a reality. So what would be the use today? One idea is the ability to inform the vendor so the vulnerability is fixed, of course! Ok, what about others?
Using the capability for propaganda, like during Russian war with Ukraine, when a Ukrainian vendor used their access to display messages in Russian charging stations? Well, when you already have the access, there’s of course no need for bypassing any security boundaries. But that’s another issue.
Disabling the access to EV charging stations can be a mild inconvenience or a bigger one (if there’s only one variety around, and if all are hacked/disabled at the same time, and if EV is a significant use in a country). Undermining trust in this mode of transportation? Who knows, if you’re a country dependant on petroleum exports, perhaps this could be of use. How about...
Taking down a power grid?
But a larger scale cyber operation against electric car charging stations could potentially even impact the broader power grid (i.e. ‘30 MW EV load attack can completely destabilise the system’). So, is it possible to take down an entire power grid with a concerted massive cyber operation targeting electric vehicle charging station? That is highly dependant on such aspects like: the numbers of charging stations installed, their type, the actual country power grid variety, etc. To be fair, electric chargers can be responsible for significant load, and (loss of load probability) can reach even 6.89% during winter season. The ability of a knock-out artificially is therefore a good question. This is perhaps already a potential issue of concern for some countries, like maybe Portugal; whole-world assessment is outside scope of this note and is left for the reader to make. But for some countries this is already possible in theory (due to the numbers of EV charging stations there). The scenario here is taking control over the charging station and modulate load/demand in ways to overcome the resilience of the system, leading to grid instability, and possibly a blackout (i.e. rapid surge in demand might not be compensated by the system).
Anyway, the U.S. Department of Energy is aware of cybersecurity risks. Vulnerabilities in charging stations were already being found and fixed. It is beyond doubt that there will be more. It is a risk, but I would say that pulling this off would still be challenging today.
That said, it’s not a bad idea to be aware of such systemic risks. Especially once the society/civilisation at large moves to electric vehicles, and once charging stations become ubiquitous and critical for us.
Meanwhile, it is curious that an exploit purchaser is specifically interested in acquiring access/hacking tools for such targets. There’s no usable data/information to steal from such an infrastructure. It seems that the only conceivable gain would be: ability to report to get it fixed, or: use it to undermine credibility, or again — create a mild-scale chaos/panic, but only in a country where electric cars are already used to a significant degree, so I guess, nowhere in 2022?
Did you like the assessment and analysis? Any questions, comments, complaints, or offers of engagement ? Feel free to reach out: me@lukaszolejnik.com