Can Your Electric Vehicle Be Hacked? The Cyber Risk Rolling Into Driveways

In partnership with

👋 Welcome to Unlocked

Electric vehicles are often marketed as cleaner, quieter, smarter machines.

But they’re also something else: computers on wheels.

And as vehicles become more connected — to apps, cloud services, chargers, cellular networks, Wi-Fi, and even other cars — the question isn’t just “Is my EV safe to drive?”

It’s also: Can my EV be hacked? And if so… what does that actually mean?

This week, we’re breaking down how EV hacking works, what attackers could realistically do, and what drivers + security teams should watch next.

🚗 First: What “EV Hacking” Actually Means

When people hear “hacked car,” they imagine a movie scene where someone takes over steering from a laptop.

That’s possible in theory, but the real-world risk is usually more practical:

• stealing access through the mobile app
• exploiting telematics (vehicle-to-cloud connectivity)
• abusing Bluetooth / keyless entry
• tampering with charging infrastructure
• targeting the supply chain (vendor software, fleet tools, diagnostics)

In other words: EV hacking often starts like most cyberattacks do…through identity, connectivity, and convenience features.

And because modern vehicles are increasingly software-defined, the U.S. government has been pushing more structured guidance on vehicle cybersecurity for years — including NHTSA’s recommended best practices for modern vehicles.

🧠 Why EVs Are Becoming a Bigger Cybersecurity Target

EVs aren’t just vehicles — they’re ecosystems:

They have apps

Remote lock/unlock, location tracking, climate control, driver profiles, payment, and account recovery flows.

That’s important because once a vehicle is “app-controlled,” cybersecurity becomes an identity problem — and identity is where many breaches start.

They have networks

Wi-Fi, Bluetooth, cellular, GPS, and internal vehicle networks connecting dozens of modules.

They have update pipelines

Modern vehicles receive over-the-air (OTA) updates like smartphones — which introduces the same trust question every enterprise faces: How do you ensure updates are authentic, verified, and safe?

If you’re thinking in frameworks, this maps cleanly to the “Protect / Detect / Respond / Recover” approach in the NIST Cybersecurity Framework.

They have charging relationships

Home chargers, public chargers, payment accounts, fleet charging, and energy providers.

As EV adoption grows, so does the incentive to attack them.

🔓 What Attackers Could Actually Do (Realistic Scenarios)

Here are the most likely “impact paths” if an EV ecosystem is compromised:

1) Account takeover → remote access

If someone takes over your EV account (via password reuse, phishing, or SIM swap), they may gain access to:

• vehicle location
• unlock controls
• driver identity info
• stored payment methods
• connected services

This is why vehicle security is increasingly treated as a blend of consumer safety + cyber risk — the exact area where NHTSA vehicle cybersecurity guidance becomes relevant even outside the automotive industry.

2) Privacy exposure → stalking risk

A connected vehicle can reveal:

• where you live
• where you work
• where you drive routinely
• when you’re away

Even without “car control,” location data is power.

This is one reason transportation and mobility systems are increasingly discussed in the same breath as critical infrastructure protection — especially when disruptions could scale beyond a single user. CISA tracks transportation as part of the Transportation Systems Sector.

3) Fleet compromise → operational disruption

For organizations using EVs (delivery, service teams, government, campuses), EV cyber risk becomes:

• downtime
• routing disruption
• lost productivity
• sensitive location exposure
• incident response complexity

Fleet systems are often managed like SaaS platforms — meaning one admin compromise can impact many vehicles.

If you’ve ever tried to explain this to leadership, it helps to anchor it in an established framework like the NIST CSF to translate technical risk into business impact.

4) Charging attacks → financial fraud + disruption

Public charging introduces:

• payment fraud risks
• charger tampering
• fake QR codes / phishing
• account drain attacks
• denial-of-service style disruption

In many cases, attackers don’t need to “hack the car” — they just need to hack the charging experience.

This is where EV security starts looking a lot like traditional critical infrastructure security — and why agencies like CISA treat transport-adjacent systems as part of a larger resilience picture.

🔌 The Overlooked Risk: EV Charging Is Now Critical Infrastructure

EV charging networks are rapidly becoming part of daily life — and that makes them a high-value target.

Security researchers and government agencies have warned for years that infrastructure systems (energy, transport, utilities) are increasingly targeted.

EVs and chargers sit right at that intersection:

transportation + energy + identity + payments.

If you want the “big picture” lens, ENISA has published work on the cybersecurity landscape for the automotive sector, including ecosystem risks and evolving threat models.

🧩 How EV Hacks Happen (The Attack Surface Map)

Think of EV cyber risk in layers:

Most real-world incidents start at Layer 1 or 2 — not inside the vehicle itself.

That’s why many EV security discussions keep circling back to identity, governance, and risk management — the same core concepts baked into the NIST Cybersecurity Framework.

🛡️ What Security Teams Should Watch For Next

Even if you’re not “in automotive security,” EV hacking is a preview of where all cybersecurity is going:

1) Cyber becomes physical

Digital compromise can create real-world safety or disruption outcomes — a key theme in transportation resilience planning, including how CISA frames sector-level risk.

2) Identity becomes the control plane

Access to the app often matters more than access to the car.

3) Convenience creates new recovery weaknesses

The easiest reset flow becomes the easiest breach.

4) Software supply chain expands

Vehicles now rely on massive vendor ecosystems, updates, and embedded software — a topic that ENISA consistently highlights in its automotive cybersecurity work.

💡 Unlocked Tip of the Week

Turn Your EV App Into a “High-Security Account”

Most people protect their banking apps better than their vehicle app.

That’s backwards now.

This week, do a 5-minute hardening pass:

• Change your EV app password (make it unique)
• Enable MFA if the app supports it
• Check logged-in devices / sessions and remove anything unfamiliar
• Lock down your email account (because password resets start there)
• Avoid QR-code payments at chargers unless you trust the source
• Disable Bluetooth unlock if you don’t actively need it

The goal is simple: make account takeover harder than it’s worth.

If your organization wants a structured way to think about these controls (even for non-traditional endpoints), mapping them to the NIST Cyberframework is a surprisingly effective way to communicate risk and maturity.

📊 Poll of the Week

🔥 Final Takeaway

EVs aren’t “unsafe.”

But they are becoming more hackable by default — because they’re connected, software-driven, and built for convenience.

The future of cybersecurity isn’t just protecting laptops and servers.

It’s protecting:
devices, identities, and systems that move through the real world.

And that future is already parked outside.

Stay ready. Stay resilient.

Until next time,

The Everykey Team

Check out last week’s edition of Unlocked

🙋 Author Spotlight

Meet Nick Marsteller - Head of Content

With a background in content management for tech companies and startups, Nick Marsteller brings creativity and focus to his role as the Head of Content at Everykey.

Over his career, Nick has supported organizations ranging from early-stage startups to global technology providers, driving initiatives across digital content and branding. With a background spanning SaaS, cybersecurity, and entrepreneurial ventures.

Outside of work, Nick loves to travel, attend concerts with friends, and spend time with family and his two cats, Ducky and Daisy.

About Our Sponsor

Introducing the first AI-native CRM

Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.

With AI at the core, Attio lets you:

• Prospect and route leads with research agents
• Get real-time insights during customer calls
• Build powerful automations for your complex workflows

Join industry leaders like Granola, Taskrabbit, Flatfile and more.

👉 Try Attio Pro for free