Weak IoT security could make EV chargers vulnerable to mass shutdowns

[midian182]

In brief: Even though EV charging networks are becoming critical infrastructure, many are still secured like consumer IoT gadgets. New research suggests weak authentication and predictable identifiers in rentable IoT systems could allow attackers to escalate from inconveniencing a single driver to knocking an entire city's charging network offline.

Public EV chargers, shared e-bikes, and rental scooters share a common problem: they are unattended, app-controlled devices deployed in public, potentially letting anyone inspect the hardware and mobile software.

At Black Hat Asia, Tsinghua University IoT security researcher Hetian Shi demonstrated how flaws in a Chinese charging app could be used to remotely disable charging ports, The Register reports.

Shi's demo used the app of a Chinese EV charging provider. After the audience selected Shanghai, he viewed chargers near People's Square, copied the ID of an available unit into a script, and the charger's icon changed from green to gray, indicating a disabled port.

Shi believes the same technique could deny service across an entire city's charging network. He also tested 11 apps from European shared bike and scooter providers and found similar problems, suggesting this is not a China-only issue.

Shi found debugging interfaces and UART connectors that made some devices easy to inspect, shared authentication keys in firmware, and backend services that failed to properly authenticate users.

App-side flaws could also let attackers create "phantom clients" that services could not distinguish from real customers, potentially enabling free rides or charging sessions and exposing personal information.

This wasn't a one-off demo. A related USENIX Security 2024 paper from Tsinghua University researchers, including Shi, examined 17 rentable IoT devices and 92 apps.

The team identified 57 vulnerabilities in 28 products, with flaws in 24 enabling large-scale exploitation that could affect millions of users and devices. The paper says weak resource IDs are a key issue: attackers can infer device or user identifiers and combine them with access-control bugs to manipulate resources at scale.

Public chargers are sensitive because they combine payments, cellular connectivity, cloud management, and grid-facing infrastructure. While one broken charger is an inconvenience, thousands disabled at once would dent confidence amongst those already nervous about EV adoption.

Vendors confirmed the findings, and researchers say most issues were mitigated with their help. But rentable IoT operators still need stronger device identity, backend authorization, unique per-device credentials, locked-down debug ports, and abuse detection.

Permalink to story:

Weak IoT security could make EV chargers vulnerable to mass shutdowns

 

[wiyosaya]

Its a fact that security flaws in IoT devices have been known for a long time. The decision to use IoT in public chargers was, therefore, ill-advised. The only thing driving the use of IoT devices in public chargers was profit, IMO.

If this hack does appear in the wild, it will be the fault of the manufacturers of the charging stations and no one else, except the hackers. IMO, any charger manufacturer that is able to verify that their chargers are susceptible to this hack should act immediately to remedy the problem.

After this, there should never be any public chargers manufactured that are susceptible to this hack, and any company that does manufacture a public charger that is susceptible to this hack should be subject to regulator discipline. IMO.

 

[NumberNine]

The cars aren't secure so I wouldn't expect too much effort invested into the chargers either.

 

[Plutoisaplanet]

In terms of general risk, the situation in the US is that Tesla makes up most of the fast charging connectors which means taking their network down would be catastrophic for EVs. However they're a far larger company that actually maintains all chargers and are more software-savvy than the competition, so it balances out. In the past however, the market was less diverse because Tesla's fast charging network made up a larger portion of all US connectors.

Source: https://evchargingstations.com/chargingnews/largest-dc-fast-charging-april-2026/

There literally is no way except to use IoT in these charging stations, as most are situated in areas where a full time attendant isn't feasible, and even where it is, the additional labor costs -- and construction costs for a station to house him -- would make charging prohibitively expensive.
[...]
If a company is lax enough with security to allow its own chargers to be shut down, why should that be the business of a government regulator? Seriously, this infantile response for government regulations to address any and all aspects of human life is out of control. There are nations who believe in that principle, but the free world is intended to work in a different manner.

I mostly agree with you, but there is technically another option, just far less useful. You could always have open chargers and IoT is in physical security only (similar to how private parking lot might work). But IoT is basically like any other server. As long as you apply the proper security policies, maintain software updates, and address bugs of your own software as they appear, your risk is very low.

Plus you're absolutely right that regulation is not the solution here lol. Forcing a company to change via existential threat in the free market is better, and in this case the threat would be revenue crashing down because you couldn't properly maintain the charging stations that bring in revenue. It's not like you can regulate a business into profitability after all. Regulations don't adapt to changing market conditions and usually limit competition.