America’s public and private electric vehicle charging stations are susceptible to cyberthreats because they don’t meet the latest security standards.

Most of the hundreds of thousands of public and home chargers use older technology that leaves them vulnerable to security breaches, according to Jim Alfred, vice president of Canada’s BlackBerry Technology Solutions.

That means these chargers are vulnerable to so-called man-in-the-middle attacks, where a hacker penetrates the digital communication used by an application to steal a login or financial data, experts told Automotive News.

Recent documented hacks of EV charging stations have been relatively low stakes. Hackers put pro-Ukraine messages disparaging Russian President Vladimir Putin on EV charger screens in Russia last year. On the Isle of Wight in England, hackers took over three charging stations to show pornography on the screens.

Concerns about the security of EV charging stations are rising as the U.S. builds out a charging infrastructure that accommodates the Biden administration’s goal of EVs making up 50 percent of all cars and light trucks sold in the country by 2030. Already, there are more than 2 million EVs on U.S. roads, according to S&P Global Mobility registration data for the last decade.

Nicholas Abi-Samra, a professor of engineering at the University of California, San Diego, said the U.S. should have a national master plan and road map to make EV charging infrastructure more immune to cyberthreats. The patchwork system of state and municipal regulatory bodies with nonstandardized regulations and protocols make EV charging security more difficult.

“This plan should include strategies for public-private partnerships, funding, incentives and regulations that promote the deployment of secure EV charging infrastructure,” Abi-Samra said.

The U.S. also needs to start conducting a security assessment of existing EV charging infrastructure to identify vulnerabilities and potential threats, he added. That would identify areas that need improvement and set a baseline for future security measures.

EV charging systems now operate off the same web infrastructure behind most consumer mobile applications, said Jason Kent, a “hacker in residence” at Cequence Security, a cybersecurity firm in Sunnyvale, Calif. That’s eventually going to be a problem in a world where half the cars on the road are EVs, he said.

Skilled and determined hackers now have the ability to take large amounts of valuable data from EV charging station sites or remotely, Kent said.

“The biggest problem we see in [application programming interface] security is the authentication problem,” he said.

There is also a relative lack of physical security for many charging station sites. Charging stations need cameras, tracing systems and other measures to make sure business operations are not disrupted, Kent said.

He described how he recently drove by a charging station near his home and turned it off.

“That kind of problem is going to be one of the bigger ones,” Kent said.

Consumers express concern about the security of their data when plugging into public chargers, but they haven’t really questioned the security of their home chargers, Alfred said. Many have old chargers vulnerable to cyberattacks.

While there is risk with home chargers, it is less risk than with public stations, Kent said.

“Residential chargers are simply an extension cord and a control box that says how much the car is charged,” he said.

Home chargers could provide entry into an owner’s Wi-Fi network. But commercial units have to access payment information, and that presents more risk to the consumer, Kent said.

Without better security, the proliferation of EV charging infrastructure in municipalities — which rely on third-party billing services for charging — will create more hacking opportunities, he said. Hackers who own an EV will charge it up and figure out how to bill it to others.

“I think that theft of power from these locations is going to be a battle that will need to be fought,” Kent said.

Legacy automakers could have the most trouble with hacking because they aren’t as nimble as startups and tend to rely on third parties, Kent added.

“There’s complexities with having lots of third parties and lots of different things plugged together,” he said. “The more complexity, the more breaches.”

Security protocols for commercial and home EV charging will improve, Alfred said.

The U.S. Department of Transportation’s Federal Highway Administration released minimum security standards and requirements for EV charging projects funded under the National Electric Vehicle Infrastructure Formula Program earlier this month.

The new standards will allow for universal EV charging with better cryptographic protocols that authenticate all parties involved in the transaction, Alfred said.

Hannah Lutz contributed to this report.