This post is also available in:
עברית (Hebrew)
New findings highlight significant cybersecurity risks in the rapidly expanding electric vehicle (EV) charging ecosystem. A recent technical analysis by researcher Brandon Perry has uncovered multiple attack vectors that could allow malicious actors to steal data, energy, or even disrupt entire charging networks through weaknesses in the communication link between EVs and chargers.
The vulnerabilities stem from the fact that every charging session creates a digital connection between the vehicle and the charger. This link—based on powerline communication (PLC)—is intended for protocol negotiation, billing, and information exchange. However, this two-way communication channel also opens the door to a range of cyberattacks if not properly secured.
The researcher demonstrated that attackers can intercept and manipulate messages during this handshake phase through man-in-the-middle attacks. Data such as the vehicle’s unique identifier (EVCCID), state of charge, and charger ID (EVSEID) is typically exchanged in plaintext or using self-signed certificates. This lack of robust encryption enables potential spoofing of MAC addresses to exploit automatic billing mechanisms, effectively allowing energy theft.
The analysis also revealed that some chargers expose internal services such as SSH over the same cable used for charging. By simulating a connected vehicle, an attacker could brute-force login credentials and potentially access or control the charger’s internal systems.
At the management level, many public chargers are linked to central charging station management systems (CSMS), which handle firmware updates, transaction logs, and user authentication. The research found that two popular platforms—StEVe CSMS and CitrineOS—could be crashed remotely by malformed payloads, leading to full denial of service across the managed network.
The implications extend beyond individual vehicles. Compromising chargers at scale could lead to wider disruptions in public infrastructure, especially if such systems are integrated with local power grids. Alarmingly, many charger ports can be physically accessed without triggering alerts, and diagnostic tools for charger interfaces are widely available.
These findings underline a critical need for stronger encryption, better authentication protocols, and improved physical and network security standards in EV charging systems—especially as EV adoption accelerates globally.
