A cybersecurity risk assessment of electric vehicle mobile applications: findings and recommendations
Zia Muhammad, Zahid Anwar, Bilal Saleem
Abstract
Electric vehicles (EVs) are becoming increasingly prevalent, with many manufacturers and third-party developers creating mobile applications to manage and monitor their use. The security of these applications is critical, as they handle sensitive information such as vehicle location, statistics, and personally identifiable information (PII) stored in the mobile device. This research conducts a cybersecurity risk assessment of several popular applications developed by (1) EV manufacturers including Tesla, Mercedes, BMW, Nissan, and Volkswagen and (2) third-party developers such as EVConnect, EVgo, Plugshare, ChargeHub, and EV-Energy. Our findings reveal a range of security vulnerabilities, including insecure communication, lack of encryption for data transmission, and insecure data storage. The list of mobile permissions acquired by these applications and the potential consequences of a security breach are also discussed. Moreover, the article highlights additional features provided by third parties that are not available in applications developed by EV manufacturers and attract users into installing the same. Finally, safeguards and defensive controls are proposed for hardening these applications to prevent security incidents.