EV cyberattacks are rare, so far, but you should still take precautions.
A growing number of consumers are ready to ditch the gas pump. They’re instead turning to electric vehicles when they’re ready to buy a new car or truck.
That’s good for the environment. But the surge in electric car sales also provides a new opportunity for cybercriminals. Yes, electric vehicles can be hacked, and the high-tech scammers behind these cyberattacks will gladly use your EV and public charging stations to steal your personal and financial information or even disable your car or truck.
Because electric vehicles contain chips and software that control their batteries, cruise control systems and braking, they are vulnerable to cyberattacks. Cybercriminals can also launch attacks when the owners of electric vehicles plug them into chargers. Electric vehicles also communicate wirelessly with Wi-Fi networks and with apps that their drivers have installed on their phones.
This combination leaves these vehicles open to malicious attacks by skilled hackers. An example? The Brokenwire attack.
In this attack, hackers send signals wirelessly to targeted electric vehicles. This causes electromagnetic interference and interrupts the connection between a public EV charging station and the vehicle. The charging station, then, won’t provide the vehicle with a charge until the attack ends, according to a feature story in Security Week.
Brokenwire attacks target a specific EV charging system, the Combined Charging System, a DC rapid charging system that is used in many public charging stations. Fortunately, Brokenwire attacks don’t work against home EV chargers because these systems typically rely on AC currents.
A Brokenwire attack is an inconvenience: The owners of targeted electric cars won’t be able to charge their vehicles until the attack ends. But these attacks don’t cause any permanent damage to electric vehicles, researchers said. The real fear is that hackers will use Brokenwire attacks to interrupt the charging of emergency vehicles, such as electric ambulances, something that could have life-threatening consequences, according to researchers.
In a recent story by the Wall Street Journal, cybersecurity experts say that in a worst-case scenario, hackers could spread malicious software to thousands of electric vehicles. The cybercriminals could freeze these cars, demanding that their owners pay a fee to unlock them. This would be a new form of the ransomware attacks that so often shut down the computers of individuals, companies and governments.
Then there are those cybercriminals who are more interested in stealing the personal and financial information of consumers. These hackers can take advantage of the increased demand for electric vehicles to launch phishing campaigns designed to trick victims into giving them their personal information, including their Social Security numbers and bank account information.
Maybe you are waiting for a specific electric car. A hacker might send an email saying that the manufacturer of this car has bumped you up in line and that your vehicle is now ready. The catch? You’ll first have to click on a link that takes you to a new web page that asks for your personal and financial information.
If you send this information, you won’t be providing it to an EV maker. Instead, you’ll be sending it to a scammer, who can use it to take out loans or credit cards in your name or access your online bank or credit card accounts. Others will sell this information on the Dark Web.
EV cyberattacks are rare, so far, but there have been some notable examples recently.
In February 2022, after Russia invaded Ukraine, EV chargers along a Russian highway were shut down and their screens displayed pro-Ukraine slogans. In April 2022, public EV chargers on the Isle of Wight were hit by cyberattacks that displayed pornography on their screens.
Another notable hack occurred in 2019 when a 19-year-old security researcher gained access to the digital car keys of more than 25 Tesla EVs scattered across the globe. From a remote location, the hacker ran programs that disabled the vehicles’ security mode, unlocked their doors and opened their windows.
Fortunately, this white-hat hacker only exposed a hole in Tesla’s cybersecurity and didn’t use the access he gained to steal the personal information of owners or take over control of their cars. The hack, though, does show that EVs are vulnerable to cyberattacks.
While attacks are rare now, that doesn’t mean they’ll always be. So, what can you do to protect your electric vehicle from cyberattacks?
Your electric vehicle probably comes with such services as Wi-Fi, satellite radio and Bluetooth technology. These can be useful tools, allowing you to make hands-free phone calls or giving your passengers the chance to watch movies or YouTube videos.
But these wireless services are also tempting weak points for cybercriminals to attack. This doesn’t mean that you should shut off your car’s Wi-Fi network. But you should research the wireless services your vehicle offers. If there are any you don’t use, see if you can disable them. That will cut off at least one entry point for cybercriminals.
You can download apps to your EV using its in-vehicle touchscreen. That’s fine. But be careful: Only install software or download apps from trusted sources, such as your vehicle’s manufacturer.
You might infect your vehicle with malicious software if you download apps from unknown sources. The scammers behind these apps might use them to steal your personal or financial information or to disable your vehicle.
If your manufacturer sends a software update to your EV’s touchscreen, don’t ignore it. You’ll typically have the option to install the update immediately or schedule it for later. It’s best to begin installation immediately.
These updates are often designed to block known threats, including viruses and malicious software. It’s important to approve software updates from trusted sources to equip your EV with the latest protection.
Be wary of any email supposedly sent by an EV manufacturer. That email saying that you’ve been moved ahead in line to purchase a new Tesla might be from a scammer hoping to trick you into providing your personal information. An email stating that you need to install an upgrade to your EV? It might contain a link that will flood your computer with malware.
Remember, no EV manufacturer will bump you ahead in line. Emails claiming this are scams. And no car manufacturer will ask for your personal or financial information through email. Never provide this information. If you’re worried that a request might be legitimate, call your car dealer or manufacturer and ask.
As electric vehicles continue to evolve, and the computer systems and software powering them become more complex, hackers will gain new opportunities to steal drivers’ information, disrupt public charging stations and maybe access the cars’ controls.
Fortunately, these cyberattacks aren’t overly common yet. And there are steps you can take to protect yourself, including watching out for phishing emails or texts, updating the software behind your vehicle’s operating systems and disabling interior Wi-Fi services that you don’t use.
And the hope is that automakers, government bodies, think tanks and cybersecurity experts will continue working together to boost the security of EVs as more drivers ditch gas-powered cars and trucks. Because it’s going to take all of us to keep each other safe.
AAA’s Recommendation: Whether you own an electric vehicle or a gas-powered car is up to you – and you should consider lots of factors in making that choice. No matter what type of vehicle you’re choosing, we recommend visiting a dealership, test driving one, and asking as many questions as possible to make an informed decision.