Electric Vehicle Cybersecurity: Risks, Real Incidents, and How to Protect the Ecosystem
Worried about cyber threats to your electric vehicle? Gain knowledge on potential risks and protective measures for your EV at Finite State's blog.

Larry Pesce
VP of Services
TL;DR: Electric vehicle cybersecurity covers far more than the car. The vehicle, its charging station, the mobile app, and the cloud behind them are all connected computers, and attackers have already exploited each one. The most reliable defense starts with visibility: knowing every software component that ships in the vehicle and the charger, then fixing what is actually exploitable.
Electric vehicles are no longer a niche. Global electric car sales grew about 20% in 2025 to top 20 million, and electric cars reached a 25% share of the world car market, according to the IEA. That growth brings a quieter change with it. An EV is a computer on wheels, and it plugs into another computer, the charger, which connects to a network and the power grid. Every one of those links is useful, and every one is a potential way in. This is what electric vehicle cybersecurity has to account for.
What are the cybersecurity risks in electric vehicles?
EV cybersecurity risks span the whole ecosystem: the vehicle's software, its charging station, the mobile app, and the cloud backend behind them.
The car itself runs on dozens of electronic control units and millions of lines of code, much of it open-source or supplied by third parties. The charger is a networked device in its own right. The app and cloud tie them together and hold driver data and remote commands. An attacker does not need to break the car directly. They can come through the weakest link in that chain, which is often a component nobody thought to secure. For the wider picture of how this plays out across connected vehicles, the same supply-chain logic applies to EVs with extra surfaces bolted on.
What are the most common cybersecurity threats and vulnerabilities in electric vehicles?
The most common EV vulnerabilities are insecure third-party apps, weak authentication, unsigned firmware updates, and unpatched open-source components in the vehicle and its charger.
These are not exotic. They are the same classes of software bug that plague any connected product, which is exactly why they keep getting exploited. Here is how the risk breaks down by attack surface.
| Attack surface | Example threat | Potential impact |
|---|---|---|
| Vehicle software and ECUs | Insecure app or API, unsigned OTA update | Unlock doors, track location, disable features |
| Charging station (EVSE) | Firmware bug, weak OCPP link, open Bluetooth or Wi-Fi | Disrupt charging, pivot to the network, damage hardware |
| Mobile app and cloud backend | Stolen tokens, weak authentication | Remote access to vehicle commands and driver data |
| Power grid connection | Coordinated switching across many chargers | Local instability, in extreme cases grid stress |
The pattern is clear: the vehicle is only one piece. Securing an EV means securing the charger and the backend too, a point we develop in SBOMs' integral role in connected automotive cybersecurity.
How do hackers access electric vehicle charging stations?
Hackers reach charging stations through their network links and firmware: weak OCPP connections, exposed Bluetooth or Wi-Fi, and unpatched bugs that allow remote code execution.
A charging station is an embedded Linux computer that talks to a management system over the Open Charge Point Protocol (OCPP) and, increasingly, to the vehicle over ISO 15118. Each of those channels is a target. At Pwn2Own Automotive 2024, researchers found 29 vulnerabilities across EV charging products, about half of which allowed remote code execution. One team executed code on a home charger over Bluetooth from nothing more than being in range. Once an attacker controls a charger, they can disrupt charging, reach the network behind it, or, at scale, put stress on the local grid.
How secure are electric cars against remote hacking, and what real-world incidents exist?
Electric cars can be remotely compromised, though full driving control is rare. Documented cases include a 2022 hack of 25 Teslas and EV charger exploits.
The good news is that steering, braking, and acceleration are hard to reach remotely and are usually well isolated. The rest of the vehicle is more exposed than owners expect. These incidents are real and public.
| Incident | When | What happened | Takeaway |
|---|---|---|---|
| 25 Teslas via TeslaMate | 2022 | A researcher exploited a third-party app to unlock, honk, and track 25 cars in 13 countries; no steering or braking access | Third-party software is part of your attack surface |
| Pwn2Own Automotive (EV chargers) | 2024 | Researchers found 29 vulnerabilities in EV charging products, about half enabling remote code execution | Chargers are connected computers with classic software bugs |
| EVerest charging firmware (CVE-2024-37310) | 2024 | A heap overflow in an open-source EV charging stack allowed arbitrary code execution | Open-source components need the same scrutiny as your own code |
| Public charger defacement | 2022 | Chargers were reportedly manipulated to display unauthorized content | Even minor tampering signals weak access control |
The 2022 Tesla case is the one worth sitting with. The 19-year-old researcher did not break Tesla's own software. He exploited a flaw in TeslaMate, a third-party data-logging app that owners had connected to their cars. That is the core lesson of EV security: your exposure includes code you did not write and may not even know is there.
What are the cybersecurity risks specific to battery electric vehicles (BEVs)?
Battery electric vehicles add two risks beyond a connected car: the battery management system that controls the pack, and the charging link to outside infrastructure.
The battery management system (BMS) governs charging rates, thermal limits, and cell balancing. Tampering with it is a safety problem, not just a data one. And because a BEV has to connect to external charging equipment to refuel, it has a recurring, physical link to infrastructure the manufacturer does not own or control. Both of these are unique to electric vehicle security and both depend on firmware that should be inventoried and monitored.
How does ISO/SAE 21434 apply to EV cybersecurity?
ISO/SAE 21434 applies to EVs like any vehicle: it requires threat analysis and cybersecurity engineering across the entire lifecycle, including EV-specific systems.
ISO/SAE 21434 sets the engineering workflow for automotive cybersecurity, centered on Threat Analysis and Risk Assessment (TARA), and it is the standard that satisfies UN Regulation No. 155 type approval. For EVs, that scope has to cover the BMS, the charging interface, and the vehicle-to-grid communication path, not just the infotainment and telematics. We cover the mechanics in our automotive cybersecurity standards primer, our post on how Finite State helps with ISO 21434, and our look at UN R155.
What does EV cybersecurity mean for fleet managers?
For fleet managers, EV cybersecurity means securing many vehicles and shared chargers together, so one compromised charger or app cannot cascade across the fleet.
A fleet concentrates risk. Depots run banks of chargers on shared networks, vehicles run identical software, and a single management platform often controls the lot. That efficiency is also a blast radius: one vulnerable charger firmware or one leaked API key can affect every vehicle at once. Practical steps for fleets are to demand a software inventory from every vehicle and charger supplier, segment the charging network from other systems, and track which components carry known vulnerabilities. Our auto-sector supply chain transparency guide lays out how to make those supplier demands concrete.
What is the future of EV security and autonomous driving?
As EVs gain autonomy, cybersecurity becomes a safety issue: a compromised perception or driving system can cause physical harm, not just data loss.
Most EVs already ship with advanced driver assistance, and more autonomy is coming. The higher the level of automation, the less a human can catch and correct a manipulated system, so a cyberattack on perception or decision-making moves from nuisance to hazard. That raises the bar: security can no longer be a feature added late, it has to be engineered in and proven. We look further ahead in what's next for automotive cybersecurity.
How can EV cybersecurity be improved?
Improve EV cybersecurity by starting with visibility: build a ground-truth SBOM of every component in the vehicle and charger, then fix what is actually reachable.
Open the hood of any EV and you find an ecosystem of components from brands you recognize and plenty you do not. You cannot measure any one supplier's commitment to security by looking at the outside, and you cannot secure, patch, or attest to code you cannot see. A software bill of materials (SBOM) built from the shipped firmware closes that gap. It turns an unknown mix of third-party and open-source code into an inventory you can act on, linked to real vulnerability data. Reachability analysis then cuts the noise, so your team fixes the flaws that are genuinely exploitable in that architecture instead of chasing every CVE. Accepting a connected product at face value is no longer an option, and that discipline has to extend to your suppliers, as we explain in getting value from supplier SBOMs.
How Finite State supports electric vehicle cybersecurity
At Finite State, we work from the shipped reality of the EV and its charger. We build a ground-truth inventory of firmware, binaries, and supplier SBOMs across the vehicle and charging equipment, including the components nobody documented. We use reachability and exploit context to focus your team on real exposure, then generate audit-ready evidence mapped to ISO 21434 and UN R155. One evidence base, grounded in what you ship, instead of a separate scramble for each device and each standard.
Electric vehicle cybersecurity is not a one-time test. It is a continuous workflow: see what you ship, verify it, prove it. To see how that works for your vehicles and chargers, read the automotive compliance and security management datasheet or request a demo.

Larry Pesce
VP of Services
Larry Pesce is a lifelong hacker, educator, and leader in embedded and connected device security. As the Vice President of Services, Larry drives strategic security initiatives across the software supply chain, helping product teams build resilient devices from the ground up. With over 15 years of hands-on penetration testing experience spanning IoT, healthcare, ICS/OT, and wireless technologies, he combines deep technical knowledge with real-world expertise. Larry is also a renowned SANS instructor and co-host of the long-running Paul’s Security Weekly podcast, shaping the next generation of security professionals.