EV CPO Under Siege: A New Attack Exposed the Cybersecurity and Privacy Risks of EV Charging Networks

As the EV revolution accelerates, the spotlight often falls on sustainability, innovation, and range anxiety. However, an underexplored yet critical concern is the cybersecurity of EV charging infrastructure. A recent cyberattack has underscored vulnerabilities related to the backbone of communication between EV chargers and Charge Point Operator (CPO) management systems, exposing not just sensitive consumer data but also the potential for large-scale disruption.

The Recent CPO Attack is a Wake-Up Call for the Entire EV Ecosystem

In mid-November 2024, a prominent threat actor exposed approximately 116,000 records of sensitive data from multiple global CPOs. Initially claimed to be from an American EV OEM charging network, the breach was later found to encompass data from diverse charging stations across the globe, with victims spanning the UAE, Australia, Mexico, Puerto Rico, Guyana, Saudi Arabia, Oman, and India.

The stolen data, published on a notorious deep web hacking forum, included:

• PII: Names, contact details, and addresses of EV owners.
• Vehicle Details: Make and models, VIN numbers, raw keys, and tokens.
• Charging Station Locations: Precise geolocation data, raising physical security risks.
• OCPP: The breach also exposed OCPP logs related to the communication between the CPO and EVSE usage.

Analysis by Upstream’s AutoThreat® research team linked these breaches to multiple CPOs using a common EV charging application developed by an Indian EV energy management provider. While the attackers’ claims centered on an American EV OEM, the exposed data implicated other consumers of major global OEMs.

The leaked PII in this breach, including consumer payment information and vehicle details, significantly heightens the risk of identity theft and financial fraud, underscoring the critical need for enhanced cybersecurity measures across the EV ecosystem.

Is OCPP Data the Next Target?

OCPP is widely regarded as a critical enabler of interoperability across EV charging networks. It facilitates communication between charging stations and central management systems, enabling features like remote management, dynamic pricing, and charging session data collection. However, its widespread adoption also makes it a prime target for cyber threats.

Key vulnerabilities in OCPP include:

1. Lack of Encryption Standards: Insecure OCPP implementations can lead to data interception, enabling attackers to harvest sensitive information.
2. Authentication Gaps: Weak authentication mechanisms may allow unauthorized access to charging stations, paving the way for fraudulent activities or system manipulation.
3. Remote Exploitation Risks: Attackers exploiting OCPP vulnerabilities can potentially disable or disrupt entire networks, impacting thousands of charging stations.

This breach highlights the cascading effects of cyber incidents on the mobility ecosystem:

• Consumer Trust at Risk: Exposure of PII and vehicle details erodes public confidence in EV adoption.
• Regulatory Implications: As data protection laws tighten worldwide, such breaches may invite heavy penalties, affecting CPOs’ bottom lines.

Securing EV Charging Infrastructure: Actions That Can’t Wait

To mitigate these risks, the EV charging industry must adopt a proactive approach to cybersecurity, with a particular focus on OCPP implementations. Key recommendations include:

1. Secure OCPP Protocols:
   • Enforce TLS encryption for all OCPP communications.
   • Implement multi-factor authentication (MFA) for access control.
2. Regular Vulnerability Assessments: Conduct penetration testing and ongoing risk assessments to identify and patch weak points in charging infrastructure.
3. Enhanced Threat Intelligence: Leverage deep and dark web monitoring to track potential breaches or chatter about vulnerabilities. Stay informed about threat actors, who are increasingly targeting the automotive sector.
4. Consumer Awareness: Educate EV owners on cybersecurity risks and best practices, such as securing app credentials and monitoring vehicle activity.
5. Collaboration Across Stakeholders: OEMs, CPOs, and backend system vendors must work together to ensure a unified approach to cybersecurity.

The EV industry stands at a crossroads where innovation meets responsibility. As the shift toward electric mobility gathers pace, securing the digital backbone of EV charging infrastructure is paramount. By addressing vulnerabilities in protocols like OCPP and prioritizing robust cybersecurity measures, stakeholders can not only prevent breaches but also safeguard the trust of millions of EV users worldwide.

The scale and impact of this recent attack serve as a powerful reminder: the future of mobility hinges on robust cybersecurity across all layers of the tech stack.