EV Charger Security

2021, April 13    

With my pending EV purchase I've been thinking about their onboard systems and about external factors and influences that could be a potential risk. As most modern cars are "connected" with some form of 3G/4G/5G link that provides telemetry data to the manufacturer I tend not to dwell on that (as sadly its near-impossible to disable, and the best you can do is hope they have adequate security in place). Charging stations however are both intriguing and concerning to me for a few different reasons, no less because of the lack of detailed information around how they operate and their design as a whole.

As a starting point it's important to understand the difference between AC and DC charging. Put simply, when charging from your socket at home (or your local supermarket on a 7kW/11kW/22kW feed) the circuitry that pushes DC power into the batteries is located within the vehicle itself. This is why an EV will state what its maximum AC charging rate is (as a faster rate requires a larger onboard charger which adds more weight). With DC charging there is no such charger within the vehicle as its built into the external charging station (known as the Electric Vehicle Supply Equipment, or EVSE for short). This approach not only reduces the weight of the vehicle (as its one less charger to carry), but allows for a much larger charger to be used which in turn provides a faster rate of charging.

With both approaches comes communication between the vehicles battery management system (BMS) and the external charger (be it an AC wall-box or a DC rapid charger), to determine how much power can/should be sent (more so with a DC supply as with AC the charger is within the vehicle so its controlled in-house).
You can find more information in general around this here.

From a security perspective there are two potential areas of concern I see with the charging approaches, to which I hope they have both been suitably designed and protected against. As documentation around this doesn't seem the easiest to find I've put my thoughts here in case anyone has more information (I'm interested to know).

First, we have the communication between the external charging point and the BMS within the vehicle. Embedded systems aren't typically known for being the most secure (The 's' in IoT stands for security), and in many cases aren't known for frequent security updates. When you consider that most modern home/small-business EV AC chargers are internet-connected (for remote control and usage reporting), it adds an additional attack vector into the equation. The potential risk with this is that a charging point could be compromised to attack the BMS within the vehicle and potentially corrupt/reprogram it.

The end goal of this could be to have a car indicate to a charger that it can accept more power than it safely can, resulting in the battery packs swelling, triggering thermal runaway, then catching fire/exploding. While this doesn't sound appealing, it should be unlikely as the BMS should have adequate protection to prevent this type of corruption/modification, including (one hopes) signed firmware to prevent tampering. I do wonder modified firmware for BCMs will become the next 'ECU remap', for people trying to get faster charging times...

Second (and of more concern) we have the rapid chargers that are being installed in most countries to help with EV uptake and to alleviate the need for slow charging. These chargers are capable of outputting an immense amount of power (350kWh at time of writing) to vehicles that can accept it, and with that comes the concern. These chargers are (mostly) connected to the internet to provide real-time status updates to their operator and in some cases external services like ZapMap (a good thing). The downside to this is that it's a connected network that may at some point in the future become the target of attackers, and the security of these platforms is unknown.

When an EV is connected to one of these chargers the BMS communicates with the EVSE and provides information on a few factors, including what is known as the Acceptance Rate. This is the maximum amount of power that should be sent to the vehicle based on what the batteries within the vehicle can take at peak. Also, as charging begins and is in progress the BMS continuously informs the EVSE the voltage/current it should send (known as CV/CC) based on factors such as battery temperature and current charge capacity. This is why when you plug most EV's into a rapid charger you see the charging rate start slow and then ramp up as the charge progresses before dropping when you approach 80% onwards (to protect the cells from overcharge/deterioration).

With the EVSE being the device that regulates both the voltage and current being sent to the vehicle, it begs the question as to what happens if the charger ignores the acceptance rate and decides to push as much power as it physically can? I would expect the BMS to notify the charger to reduce power or stop, but if that doesn't happen, what happens next? At this point I would hope that the onboard circuitry within each EV contains a set of heavy-duty relays that isolate the battery from the charging circuit should this occur (while also providing protection against arcing given newer EVSE's can output at 800 volts), however the documentation around this is scarce (and the only disconnects that get mentioned are the high-voltage battery from the vehicle itself).

When you look at the worst potential outcome it would be that the vehicle has no way to disconnect the power being sent and the batteries take too much too fast, resulting in their temperature increasing significantly, the battery casings swelling resulting in them forced against each other, before the final cell rupture and inevitable fire. Not appealing by any stretch of the imagination.
A further read on the design of a typical BMS can be found here.