Engineers at Southwest Research Institute have discovered a vulnerability in DC fast-charging stations that allows hackers to gain access to your electric vehicle while you're sipping a coffee.
Power line communication (PLC) is a way of sending data through existing power cables, like the electrical plugs in your home. It works by tossing a harmonic signal into the power line, then having a receiver on the other end interpret and extrapolate the data in that harmonic. IN this way, it's possible to send and receive transmissions like voice, video, and even your day-to-day internet traffic straight through your electrical wiring. This type of technology has been around since 1922.
Skip forward to today and about 40 million electric cars are zipping around in the world. It's estimated that about 86% of EV owners charge their babies at home, while about 59% use public chargers weekly. There are right around 10,000 Level 3 DC Fast Charging (DCFC) locations in the US. That's 10,000 potential hacking sites and millions of potential vulnerabilities in just the US alone.
Level 3 DC chargers – which are the fastest means of topping up your Tesla while road tripping – use an IPv6-based protocol PLC to communicate with the car to monitor faults and collect data for everything from charge status, state of charge, to the vehicle identification number (VIN) and everything in between.
SwRI exploited vulnerabilities in the PLC layer which granted them access to the network key and the digital addresses of both the chargers and the vehicle using an adversary-in-the-middle (AitM) attack that could emulate both the EV and the charging equipment.
"Through our penetration testing, we found that the PLC layer was poorly secured and lacked encryption between the vehicle and the chargers," said Katherine Kozan, the lead engineer at SwRI’s High Reliability Systems Department.
Oof.
In 2020, SwRI was able to reverse engineer and hack the J1772 charger system – the most common charger type in the US – to disrupt the charging process, simulating a malicious attack. They were able to send signals to the car to mimic overcharging, adjust charging rates, or simply block charging altogether.
Level 3 hacks take everything to another level, giving would-be hackers the potential ability to inject code into the vehicle's firmware – the very base code that tells the vehicle how to operate – altering its functions or disabling them altogether. Perhaps even allowing remote access and control to black hats via the vehicle's cell-based connectivity to the internet.
Some readers may remember the 2015 Jeep hack, where a pair of hackers from Missouri took control of an unmodified Jeep Cherokee while a Wired reporter drove down the freeway. The hackers went so far as to shut down the engine, taking control of the steering and coasting him off the freeway, before disabling the brakes. All while monitoring the car's position via GPS.
How did they get control like that? Remotely, from just the infotainment system alone.
"With network access granted by unsecure direct access keys, the nonvolatile memory regions on PLC-enabled devices could be easily retrieved and reprogrammed. This opens the door to destructive attacks such as firmware corruption," said FJ Olugbodi, a contributing engineer to the SwRI project.
Modifying an EV firmware by a bad actor could have serious consequences for the driver and anyone else in the path of a rogue vehicle. The possibilities are nearly limitless with modern vehicles that are so heavily dependent on software, CPUs and internet connections. They're basically data centers on wheels.
The main brain of the newer Tesla Model S, for example, is an AMD Ryzen CPU and AMD Radeon GPU, the same stuff you might have in your desktop computer at home or work. It has about 63 other CPUs in there as well.
Simply adding encryption to embedded systems on EVs could be a potential hazard as well. Any failure to decrypt or authenticate a piece of data could cause a fault in an EV's systems. Imagine trying to brake, but your vehicle decides not to as it failed to get an authenticated signal from your pedal through the ABS module.
Not all is lost, however. SwRI has developed a new "zero-trust" architecture that could circumvent layers of encryption. Zero-trust works under the premise that if a bad guy wants to break through your firewall, it's pretty likely that they will and you can't stop them. However, zero-trust would require each asset – be it a laptop, a server, or an electric vehicle – to, on a root level, prove its identity and that it belongs to the network before executing a command. The network being the car itself.
Not only is every piece of architecture required to authenticate itself on every boot, but the zero-trust system monitors system accuracy and identifies anomalies and illicit communication packets in real-time in case a bad actor gains access to the vehicle's systems.
While zero-trust architecture isn't in today's vehicles, it could be the way of the future if more and more vulnerabilities are found and exploited.
Source: Southwest Research Institue