In partnership with
π Welcome to Unlocked
Electric vehicles are often marketed as cleaner, quieter, smarter machines.
But theyβre also something else: computers on wheels.
And as vehicles become more connected β to apps, cloud services, chargers, cellular networks, Wi-Fi, and even other cars β the question isnβt just βIs my EV safe to drive?β
Itβs also: Can my EV be hacked? And if soβ¦ what does that actually mean?
This week, weβre breaking down how EV hacking works, what attackers could realistically do, and what drivers + security teams should watch next.
π First: What βEV Hackingβ Actually Means
When people hear βhacked car,β they imagine a movie scene where someone takes over steering from a laptop.
Thatβs possible in theory, but the real-world risk is usually more practical:
stealing access through the mobile app
exploiting telematics (vehicle-to-cloud connectivity)
abusing Bluetooth / keyless entry
tampering with charging infrastructure
targeting the supply chain (vendor software, fleet tools, diagnostics)
In other words: EV hacking often starts like most cyberattacks doβ¦through identity, connectivity, and convenience features.
And because modern vehicles are increasingly software-defined, the U.S. government has been pushing more structured guidance on vehicle cybersecurity for years β including NHTSAβs recommended best practices for modern vehicles.
π§ Why EVs Are Becoming a Bigger Cybersecurity Target
EVs arenβt just vehicles β theyβre ecosystems:
They have apps
Remote lock/unlock, location tracking, climate control, driver profiles, payment, and account recovery flows.
Thatβs important because once a vehicle is βapp-controlled,β cybersecurity becomes an identity problem β and identity is where many breaches start.
They have networks
Wi-Fi, Bluetooth, cellular, GPS, and internal vehicle networks connecting dozens of modules.
They have update pipelines
Modern vehicles receive over-the-air (OTA) updates like smartphones β which introduces the same trust question every enterprise faces: How do you ensure updates are authentic, verified, and safe?
If youβre thinking in frameworks, this maps cleanly to the βProtect / Detect / Respond / Recoverβ approach in the NIST Cybersecurity Framework.
They have charging relationships
Home chargers, public chargers, payment accounts, fleet charging, and energy providers.
As EV adoption grows, so does the incentive to attack them.
π What Attackers Could Actually Do (Realistic Scenarios)
Here are the most likely βimpact pathsβ if an EV ecosystem is compromised:
1) Account takeover β remote access
If someone takes over your EV account (via password reuse, phishing, or SIM swap), they may gain access to:
vehicle location
unlock controls
driver identity info
stored payment methods
connected services
This is why vehicle security is increasingly treated as a blend of consumer safety + cyber risk β the exact area where NHTSA vehicle cybersecurity guidance becomes relevant even outside the automotive industry.
2) Privacy exposure β stalking risk
A connected vehicle can reveal:
where you live
where you work
where you drive routinely
when youβre away
Even without βcar control,β location data is power.
This is one reason transportation and mobility systems are increasingly discussed in the same breath as critical infrastructure protection β especially when disruptions could scale beyond a single user. CISA tracks transportation as part of the Transportation Systems Sector.
3) Fleet compromise β operational disruption
For organizations using EVs (delivery, service teams, government, campuses), EV cyber risk becomes:
downtime
routing disruption
lost productivity
sensitive location exposure
incident response complexity
Fleet systems are often managed like SaaS platforms β meaning one admin compromise can impact many vehicles.
If youβve ever tried to explain this to leadership, it helps to anchor it in an established framework like the NIST CSF to translate technical risk into business impact.
4) Charging attacks β financial fraud + disruption
Public charging introduces:
payment fraud risks
charger tampering
fake QR codes / phishing
account drain attacks
denial-of-service style disruption
In many cases, attackers donβt need to βhack the carβ β they just need to hack the charging experience.
This is where EV security starts looking a lot like traditional critical infrastructure security β and why agencies like CISA treat transport-adjacent systems as part of a larger resilience picture.
π The Overlooked Risk: EV Charging Is Now Critical Infrastructure
EV charging networks are rapidly becoming part of daily life β and that makes them a high-value target.
Security researchers and government agencies have warned for years that infrastructure systems (energy, transport, utilities) are increasingly targeted.
EVs and chargers sit right at that intersection:
transportation + energy + identity + payments.
If you want the βbig pictureβ lens, ENISA has published work on the cybersecurity landscape for the automotive sector, including ecosystem risks and evolving threat models.
𧩠How EV Hacks Happen (The Attack Surface Map)
Think of EV cyber risk in layers:
Most real-world incidents start at Layer 1 or 2 β not inside the vehicle itself.
Thatβs why many EV security discussions keep circling back to identity, governance, and risk management β the same core concepts baked into the NIST Cybersecurity Framework.
π‘οΈ What Security Teams Should Watch For Next
Even if youβre not βin automotive security,β EV hacking is a preview of where all cybersecurity is going:
1) Cyber becomes physical
Digital compromise can create real-world safety or disruption outcomes β a key theme in transportation resilience planning, including how CISA frames sector-level risk.
2) Identity becomes the control plane
Access to the app often matters more than access to the car.
3) Convenience creates new recovery weaknesses
The easiest reset flow becomes the easiest breach.
4) Software supply chain expands
Vehicles now rely on massive vendor ecosystems, updates, and embedded software β a topic that ENISA consistently highlights in its automotive cybersecurity work.
π‘ Unlocked Tip of the Week
Turn Your EV App Into a βHigh-Security Accountβ
Most people protect their banking apps better than their vehicle app.
Thatβs backwards now.
This week, do a 5-minute hardening pass:
Change your EV app password (make it unique)
Enable MFA if the app supports it
Check logged-in devices / sessions and remove anything unfamiliar
Lock down your email account (because password resets start there)
Avoid QR-code payments at chargers unless you trust the source
Disable Bluetooth unlock if you donβt actively need it
The goal is simple: make account takeover harder than itβs worth.
If your organization wants a structured way to think about these controls (even for non-traditional endpoints), mapping them to the NIST Cyberframework is a surprisingly effective way to communicate risk and maturity.
π Poll of the Week
What worries you most about EV hacking?
π₯ Final Takeaway
EVs arenβt βunsafe.β
But they are becoming more hackable by default β because theyβre connected, software-driven, and built for convenience.
The future of cybersecurity isnβt just protecting laptops and servers.
Itβs protecting:
devices, identities, and systems that move through the real world.
And that future is already parked outside.
Stay ready. Stay resilient.
Until next time,
Meet Nick Marsteller - Head of Content
With a background in content management for tech companies and startups, Nick Marsteller brings creativity and focus to his role as the Head of Content at Everykey.
Over his career, Nick has supported organizations ranging from early-stage startups to global technology providers, driving initiatives across digital content and branding. With a background spanning SaaS, cybersecurity, and entrepreneurial ventures.
Outside of work, Nick loves to travel, attend concerts with friends, and spend time with family and his two cats, Ducky and Daisy.
About Our Sponsor
Introducing the first AI-native CRM
Connect your email, and youβll instantly get a CRM with enriched customer insights and a platform that grows with your business.
With AI at the core, Attio lets you:
Prospect and route leads with research agents
Get real-time insights during customer calls
Build powerful automations for your complex workflows
Join industry leaders like Granola, Taskrabbit, Flatfile and more.