EV Charging Under Attack: New Vulnerabilities Threaten Vehicles & Grids
As electric vehicles steadily weave themselves into the fabric of everyday life, the essential infrastructure that powers them—charging stations—faces a mounting and deeply concerning threat. A study by security researcher Brandon Perry reveals that the digital communication channel between a vehicle and its charging module may serve as an exploitable entry point for cyberattacks. And this is not limited to isolated incidents—the threat extends across entire charging networks.
The moment a charging cable connects the car to the power source, a silent dialogue begins: devices exchange technical information, assign IP addresses, and initiate identification protocols. All of this occurs via Powerline Communication (PLC), the same technology used in adapters that transmit internet through electrical wiring.
This architecture renders the channel particularly vulnerable. Perry demonstrated that it is susceptible to man-in-the-middle attacks, where transmitted data packets can be intercepted or altered. Using a Linux-based test configuration, he connected to a Tesla and began monitoring the communication during the initialization phase.
These data exchanges include values such as EVCCID and EVSEID—unique identifiers for the vehicle and charging station—along with charge levels and other technical parameters. These identifiers, including the MAC address, are essential for enabling the Plug & Charge feature. If an attacker forges these values, they could impersonate another vehicle and initiate charging at someone else’s expense.
Perry pushed his exploration further by crafting deliberately malformed packets to test the robustness of the software. In certain cases, this caused system crashes, paving the way for denial-of-service scenarios or even the injection of malicious code.
The situation becomes even more precarious when physical access is considered. In many cases, charging ports can be manually opened without any form of digital authentication. Astonishingly, this often fails to trigger alarms. Diagnostic tools are widely available and inexpensive, making them easily accessible to bad actors.
Another critical vulnerability lies in SSH access via the charging cable. Some vehicle models remain active even after connection, continuing to listen on the control port and accept commands. This connection can be initiated directly through the cable—no local network required.
Experiments revealed that in some instances, charging stations indeed leave their SSH ports open to any IP address. Compounding this issue is the widespread use of default factory login credentials, reducing the act of breaching a system to little more than a patience test rather than a sophisticated hack.
Equally at risk are the backend management platforms—so-called Charging Station Management Systems (CSMS)—that oversee the operation of public charging networks. These platforms handle tasks such as vehicle authentication, energy accounting, firmware updates, and transaction processing. Perry tested two such systems: StEVe CSMS and CitrineOS. Both failed under the pressure of specially crafted requests, resulting in frozen interfaces and a complete loss of operational control.
Most troubling of all, the logs recorded only benign-looking local IP addresses, making these intrusion attempts indistinguishable from routine internal activity. This significantly hinders incident detection and complicates forensic investigations.
The implications of such vulnerabilities range from petty electricity theft in parking lots to the disruption of entire urban energy grids. A sufficiently skilled attacker could manipulate system controls, distort resource allocation, or even disable critical vehicle functions—posing a tangible threat to human safety.
And this is merely one example of the sweeping risks posed by our increasingly exposed IoT infrastructure, which is fast becoming a prime target for cyber adversaries.