Last week the House of Representatives passed a measure to effectively ban TikTok in the U.S. to protect Americans’ sensitive personal data from exploitation by the People’s Republic of China on national security grounds. The week before President Biden issued an Executive Order establishing protections for Americans’ sensitive personal data from sale to countries of concern.
But neither of those actions protects Americans’ personal and sensitive information, including geolocation data, financial data, and other personally identifiable information, available from electric vehicle (EV) charging equipment.
Bad actors can use this EV charger data to track Americans, pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.
EV chargers are proliferating in response to President Biden’s $7.5 Billion government funding for 500,000 chargers across the country through the National Electric Vehicle Infrastructure program. New laws and legislation pending in more than 20 states, like Maryland HB 1279 require new construction to install EV charging equipment and otherwise cause parking spaces to be electric vehicle supply equipment capable or ready. Cast in a light most positive to government, this is a rush to respond to climate change, and despite that EV chargers are prime vectors for data vulnerabilities there are not yet government or other accepted protections for the data. A darker perspective might be that government is unwittingly building a mass surveillance project with an entirely new network of spying devices across the country (and the world).
In an era when the world’s most valuable resource is no longer oil, companies are collecting more of Americans’ data than ever before, and it is often legally sold and resold through data brokers. The U.S. government is the largest domestic purchaser and reseller of the data. As we have blogged about, Immigration and Customs Enforcement has used address data sold by utility companies to track down undocumented immigrants.
The line between hackers and commercial data brokers and others is fuzzy when data is sold to or otherwise accessed by countries of concern, or entities controlled by those countries (.. the largest acquirer of data worldwide are government instrumentalities in China), and data can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments. Hence the recent Executive Order.
These risks are not merely hypothetical. In 2019, New York Times writers were able to combine a single set of bulk location data collected from cell phones and bought and sold by data brokers, which was anonymized and represented “just one slice of data, sourced from one company, focused on one city, covering less than one year” with publicly available information to identify, track, and follow “military officials with security clearances as they drove home at night,” “law enforcement officers as they took their kids to school,” and “lawyers (and their guests) as they traveled from private jets to vacation properties.”
When there is a claim data is anonymized such that it is stripped of personal identifier information, that is simply ‘silly talk’ and reverse engineering in not only almost always possible, but all but easy with modern AI solutions.
This post is about EV chargers but appreciate concerns about exploitation of personal car data, we found a gray data broker who sells niche data sets where even tires are a vector for surveillance. The dashboard lights on your car that tell you the tire pressure on your front left tire is 30 psi operate through a wireless signal from a small sensor, and companies have figured out how to use those unique identifier signals to track people. Apparently, the largest purchaser of this data is government (.. who is using it to track Americans without a warrant?). A data aggregator who is said to be doing work for Ukraine after the Russian invasion sells a portable system that detects war zone tire pressure signals.
But that is not what keeps me up at night. The nightmare may be an EV charger data apocalypse.
The Office of the Director of National Intelligence has made clear that “[o]ur adversaries increasingly view data as a strategic resource.”
Many EV charger users have considered that a bad actor could have access to a homeowner’s EV charger connected Wi-Fi network or through the smartphone apps used to control charging or simply as a smart device connected to the internet, and also access the credit card information provided in a commercial EV charger, not to mention be vulnerable to transferable malware infections, but armed with EV charger data could hackers switch on or off an EV battery or thousands of EV batteries at one time?
In the movie, Leave the World Beyond, produced by Barack and Michelle Obama, hackers attack the U.S. including through thousands of hijacked Teslas that pile up on roadways.
That was fiction, and real world damaging hacks that we know about have been relatively few, but a week following Russia’s invasion of Ukraine, a private Russian power company’s EV charging stations outside of Moscow were hacked, including displaying anti Putin video messages and disabled. This was in the same timeframe that the UK’s Isle of Wright saw pornography flash on the screens of EV chargers at public car parks.
In 2019 a now widely read study published by an NYU Tandon School of Engineering professor described “cybersecurity risks to the grid where multiple high-wattage charging stations could be used in tandem to launch an attack and potentially cause a blackout.” His analysis had less than 1,000 EV charging vehicles taking down the Manhattan power grid. The study establishes that while such an attack was not possible at the 2019 penetration level of EV chargers, it would be practical in the near future once the number of EV chargers proliferates.
Today there are no widely implemented cyber security standards for EV chargers and the UK is one of very few countries with any legal requirements in place when it mandates credential authentication, data encryption, and information deletion options. Service providers must also provide regular software updates. Note, there is a U.S. Federal Highway Administration rule setting minimum standards and requirements for EV chargers funded under the National Electric Vehicle Infrastructure program, but that rule expressly excludes cyber security provisions out of concern that such might slow installations. I don’t think this is some secret coterie of tech companies and governments to weaponize EV chargers, but it is malfeasance at a huge scale and the transgressions will certainly do more harm than good .
And I do not lose sleep over a possible EV charger cyber apocalypse any more than a climate change apocalypse.
I am told the best thing you can do is regularly update the software in your EV charger and associated phone app. Personally, I drive a gasoline powered car.
________________________
Join us for our upcoming Strafford live webinar, “Greenhouse Gas Emission Laws Now Impact Commercial Leases” on Thursday, May 2, at 1 pm ET. Click this link for more information: https://www.sp-04.com/r/products/tlkruhhana