Discovering cybersecurity risks in EV fast-charging systems allows hackers to access network keys and data. Future work aims to enhance security measures.
Engineers at Southwest Research Institute have identified cybersecurity vulnerabilities in electric vehicles (EVs) using direct current fast-charging systems, the fastest common charging method. This high-voltage technology uses power line communication (PLC) to transmit smart-grid data between vehicles and charging equipment.
In a laboratory, the SwRI team exploited vulnerabilities in the PLC layer, gaining access to network keys and digital addresses on the charger and the vehicle.
In the latest project, SwRI explored vehicle-to-grid (V2G) charging technologies, following ISO 15118 specifications for communication between EVs and electric vehicle supply equipment (EVSE) to support electric power transfer.
The team have developed an adversary-in-the-middle (AitM) device with specialized software and a modified combined charging system interface. This AitM device enabled testers to eavesdrop on communication between EVs and EVSE for data collection, analysis, and potential attack. By identifying the media access control addresses of the EV and EVSE, the team discovered the network membership key that allows devices to join the network and monitor traffic.
The researchers noted that adding encryption to the network membership key would be an important first step in securing the V2G charging process. They explained that with network access granted by unsecured direct access keys, the nonvolatile memory regions on PLC-enabled devices could be easily retrieved and reprogrammed. This vulnerability opens the door to destructive attacks, such as firmware corruption.
However, encrypting embedded systems on vehicles presents several challenges. Added layers of encryption and authentication could potentially become safety hazards. If authentication or decryption fails, it could disrupt a vehicle’s functionality or performance.
SwRI has developed a zero-trust architecture to address these challenges by connecting several embedded systems through a single cybersecurity protocol. Future EV cybersecurity research at SwRI will test zero-trust systems for PLC and other network layers.
