Plugging an electric vehicle (EV) into a public charger may seem harmless. However, new research reveals that this simple action could expose drivers to sophisticated cyberattacks. Hackers can exploit the data link between the vehicle and charger to steal information, manipulate charging sessions, or even shut down entire charging networks. As the number of EVs on the road grows, so does the urgency of addressing these security gaps.
How EV Charging Creates Cyber Vulnerabilities
When an EV connects to a public charger, it establishes a digital communication channel. This link allows the car and the charger to exchange information needed to manage the charging process. However, both ends of this connection—the charger port and the charger itself—act as network interfaces. These interfaces can become entry points for cybercriminals.
Security researcher Brandon Perry examined this communication by setting up a Linux-based charger and capturing data packets between a Tesla vehicle and the modified charger. The connection is established using Powerline Communication (PLC), a system similar to using electrical wiring for Ethernet communication.
This setup lacks robust security features. Encryption is often optional, and when used, it relies on self-signed certificates that do not connect to a trusted certificate authority. This opens the door for man-in-the-middle attacks.
What Data Can Be Stolen or Abused?
During the handshake between the EV and the charger, they exchange standardized information, including:
- EVCCID: Electric Vehicle Communication Controller ID
- EVSEID: Electric Vehicle Supply Equipment ID
- State of charge and vehicle characteristics
This data can be intercepted by attackers. Since EVCCIDs are often linked to vehicle billing systems, a hacker could spoof a MAC address and impersonate a legitimate vehicle. This could allow them to:
- Steal electricity without payment
- Manipulate charging sessions
- Gain unauthorized access to charging networks
The researcher demonstrated that malformed data packets could be generated automatically to identify crash-inducing bugs within the car-to-charger communication protocol.
Attackers Can Target the Charger’s Internal Network
The vulnerabilities extend beyond data theft. Hackers can use the charger cable itself to launch brute-force attacks against the charger’s Secure Shell (SSH) service. Perry discovered that some chargers had SSH ports open and listening without recognizing the cable as a potential network entry point.
A malicious actor could:
- Connect as a “vehicle”
- Trigger the network
- Attempt to authenticate over SSH using the charger cable
This could lead to unauthorized access to the charger’s management system, opening the door for more advanced attacks.
EV Charging Station Management Systems (CSMS) at Risk
Public charging stations are often controlled by Charging Station Management Systems (CSMS). These systems allow administrators to manage:
- Vehicle authentication
- Power distribution
- Billing and transactions
- Firmware updates
The research identified that two CSMS platforms—StEVe CSMS and CitrineOS—are vulnerable to denial-of-service (DoS) attacks. Attackers could crash these systems remotely, potentially shutting down entire networks of chargers.
Such an attack could cause widespread disruption, and administrators might struggle to trace the cause due to misleading log data showing unusual local IP addresses.
Physical Security Risks in EV Charging
The research also highlighted physical security concerns. Most EV charger ports can be pried open or pressed without triggering alarms. Hardware tools for charger port debugging are widely available online. This allows attackers to:
- Access vehicle charger ports without detection
- Deploy malicious hardware or code
- Combine physical and digital attacks for maximum impact
These physical vulnerabilities further widen the attack surface, making public charging stations attractive targets for cybercriminals.
Potential Real-World Consequences of EV Charging
The risks go far beyond individual attacks. If malicious actors compromise multiple chargers or entire networks, they could:
- Cause power grid instability
- Interrupt transportation for thousands of drivers
- Steal large amounts of electricity without detection
- Harvest sensitive data from countless EVs
The interconnected nature of EVs, chargers, and energy systems means that a security breach could have far-reaching effects on public infrastructure and consumer safety.
What EV Owners and Providers Should Do
To mitigate these threats, both EV owners and charging network operators should take action:
For EV Owners:
- Avoid unfamiliar or untrusted public chargers when possible
- Regularly update vehicle software
- Monitor accounts linked to EV charging services for unusual activity
For Charging Network Providers:
- Implement strong encryption between chargers and vehicles
- Regularly audit and patch management systems
- Enforce robust physical security at charging stations
Conclusion
Electric vehicles are a key part of the transition to greener transportation, but their cybersecurity must not be overlooked. The research highlights how easily attackers can exploit overlooked vulnerabilities in the EV charging ecosystem. As EV adoption grows, manufacturers, network operators, and regulators must prioritize cybersecurity to protect users and critical infrastructure from emerging threats.
Taking proactive steps today can prevent damaging attacks tomorrow.
0 responses to “Hackers Can Target Teslas and Other EVs Through Public Chargers”