Networked “Smart” Chargers Pose a Bigger Security Risk Than Companies Realize

As more companies embrace home charging as a practical solution for their electric vehicle (EV) fleets, the risks associated with installing or using networked charging systems at employees’ homes demand careful attention.

Networked “smart” chargers may seem convenient and cost-effective, especially when the hardware is free or subsidized through grant and rebate programs. However, they can introduce a range of potential vulnerabilities that can significantly impact fleet operations, which many organizations may not anticipate before implementation.

Although these risks can be mitigated through careful setup, firm policies, and ongoing vigilance, it’s important to ask whether networked functionality is truly necessary for your fleet.

For companies primarily using these devices to run a home charging reimbursement program, a software solution that works with low-tech “dumb” chargers or even trickle chargers can offer a safer and more straightforward option. This approach preemptively eliminates many security concerns associated with networked chargers and can cost less overtime to set up and maintain.

Understanding the potential threats and implementing robust security measures is crucial for companies that decide the benefits of networked chargers outweigh the dangers.

Understanding Networked Charger Vulnerabilities

The cybersecurity risks networked EV chargers pose are far from hypothetical — they are genuine and increasingly prevalent.

A study by the University of Texas at San Antonio found vulnerabilities in all 16 charging stations they examined, highlighting the widespread issue across different manufacturers and models. EV charging stations accounted for 4% of all vehicle-related cybersecurity incidents in 2022, a significant figure that illustrates the growing target these devices represent for cybercriminals.

Specific incidents, such as three charging stations on the Isle of Wight hacked to display inappropriate content, demonstrate the diverse range of threats that can impact public and private charging infrastructure. Another critical example is a vulnerability that Shell had to patch, which could have exposed millions of charging logs across its network.

“These incidents underscore the potential for data theft, unauthorized access, and even disruptions to the power grid if attackers gain control of charging infrastructure,” Jeff Ewing, vice president of security operations at 5Q, said.

“Companies need to prioritize the security of these systems — including those units installed at employee’s homes — to safeguard their operations and prevent potential breaches that could lead to significant financial and reputational damage,” Ewing continued.

Smarter is Not Better

Unfortunately, every connected device is a potential vulnerability point for a cybersecurity attack. Networked chargers are increasingly becoming targets for cyberattacks due to the connectivity that gives them advanced functionality.

“Smarter devices have more features and, thus, more potential points of vulnerability. The basic components can be inherently insecure, leaving them open to exploitation, and their limited computational abilities often prevent them from supporting robust security measures,” Ewing said.

“Weak or absent authentication and encryption mechanisms can allow attackers to intercept and manipulate data. User security awareness also plays a role, as many users may not follow best practices, such as changing default passwords or updating firmware, which can leave devices exposed,” Ewing continued.

While not a comprehensive list, Ewing said “smart” chargers are susceptible to a variety of cybersecurity threats, including:

1. Man-in-the-Middle Attacks: A Man-in-the-Middle (MitM) attack occurs when a cybercriminal intercepts communication between two parties — in this case, between the charger and the network. This attack can allow unauthorized users to access sensitive data such as payment information, user credentials, or operational data.
2. Malware Installation: Malware can be installed over an unprotected network or operating system. Malware can be designed to target the charger itself, the user’s interface (such as a mobile phone app connected to the charger), or both. Once compromised, these devices can be used as entry points for larger network attacks, causing widespread disruption to fleet operations. Additionally, infected devices may lead to the theft of sensitive corporate information or damage to critical infrastructure.
3. Device Disabling or Overcharging: Another potential attack involves turning off the charger or causing a malfunction to overcharge the vehicle, which could render the charger unusable, disrupting fleet operations by leaving vehicles without power. Overcharging could pose safety risks in extreme cases, potentially damaging the vehicle’s battery or even causing fires. Such disruptions affect daily operations, could incur significant repair costs, and pose liability risks.
4. Administrative Control Breaches: Hackers can access a charger’s administrative controls, especially when security measures like authentication and encryption are weak or absent. Once in control, hackers can bypass safety mechanisms, alter settings, or disable essential functions, leading to operational hazards. For example, attackers could override built-in safety protocols designed to prevent overcharging or overheating, creating dangerous conditions that could damage vehicles or infrastructure.

Networked home chargers not only increase the risk for your employees but can also put sensitive company data at risk.

“Because [of] the surge in remote work since 2020…these devices may represent a threat to enterprise data and networks,” Merritt Maxim, vice president and research director at Forrester Research, said in IoT World Today. A breach in security can not only interrupt the charging process but also expose sensitive company data to malicious actors.

Steps to Secure: What Does it Take?

Several steps can reduce the risk if your organization plans to install or have employees use smart chargers as part of your EV fleet take-home program.

“To protect their assets and ensure the safety of employees using networked ‘smart’ chargers, companies must implement comprehensive cybersecurity strategies across all stages — from purchasing and installation to regular use and maintenance,” Ewing advises.

Ewing emphasizes that the organizations and employees using the chargers are responsible for mitigating risk and adhering to existing best practices. He suggests the steps to improve the security measures that should already be embedded in your cybersecurity culture:

• Change Default Credentials: Always change the default username and password to something strong and unique to prevent unauthorized access.
• Regular Firmware Updates: Keep the firmware of your smart charger up to date. Manufacturers often release updates to patch security vulnerabilities.
• Use Strong Encryption: Ensure the communication between the charger and the network is encrypted to help protect data from being intercepted by attackers.
• Network Segmentation: Place the smart charger on a separate network segment from other critical devices to limit the potential damage if the charger is compromised.
• Secure Physical Location: To prevent tampering, install the charger in a secure, well-monitored location.
• Monitor Network Traffic: Regularly monitor the network traffic to and from the smart charger for any unusual activity. This can help detect potential intrusions early.
• Disable Unused Features: Turn off any features or services that are not in use to reduce the attack surface.
• Educate Users: Ensure all users know best security practices, such as not sharing passwords and recognizing phishing attempts.

“Implementing these measures can significantly enhance the security of your smart chargers and protect against potential attacks, but it’s important to remember that security is not a one-time effort; it is a continuous responsibility for end users, property owners, and employers alike,” Ewing warns.

“To maintain robust security, ensure that any device in use employs a known, secure communication protocol, and confirm that your home network is secure if the device is connected to it. Regularly check for updates to the device’s firmware or settings to keep up with the latest security patches. Additionally, consistently monitor your network to stay informed about who is accessing it and what data is being transmitted. By remaining vigilant and proactive, you can better safeguard your charging infrastructure against evolving cyber threats,” he continued.

Assess the Risk for Your Fleet

While the allure of networked “smart” chargers may seem like a step toward future-proofing your fleet, it’s crucial to weigh these benefits against the significant cybersecurity risks they pose. The potential for data breaches, operational disruptions, and even physical damage to vehicles makes it clear that “smarter” isn’t always safer.

“Companies should really examine and understand the ‘need’ for their home charging setups to be smart before committing to networked chargers,” Ewing concludes. Companies and fleets must assess if the added complexity and potential vulnerabilities are worth the risk.

For many, a more straightforward, low-tech solution — like using “dumb” chargers paired with robust home charging reimbursement software — might offer a safer, more cost-effective alternative. Companies can sidestep many security concerns by opting for more straightforward charging methods, ensuring smoother operations and fewer surprises.

Ultimately, it’s about finding the right balance between technological advancement and practical risk management to keep your fleet moving safely and securely.