In brief: Even though EV charging networks are becoming critical infrastructure, many are still secured like consumer IoT gadgets. New research suggests weak authentication and predictable identifiers in rentable IoT systems could allow attackers to escalate from inconveniencing a single driver to knocking an entire city's charging network offline.
Public EV chargers, shared e-bikes, and rental scooters share a common problem: they are unattended, app-controlled devices deployed in public, potentially letting anyone inspect the hardware and mobile software.
At Black Hat Asia, Tsinghua University IoT security researcher Hetian Shi demonstrated how flaws in a Chinese charging app could be used to remotely disable charging ports, The Register reports.
Shi's demo used the app of a Chinese EV charging provider. After the audience selected Shanghai, he viewed chargers near People's Square, copied the ID of an available unit into a script, and the charger's icon changed from green to gray, indicating a disabled port.
Shi believes the same technique could deny service across an entire city's charging network. He also tested 11 apps from European shared bike and scooter providers and found similar problems, suggesting this is not a China-only issue.
Shi found debugging interfaces and UART connectors that made some devices easy to inspect, shared authentication keys in firmware, and backend services that failed to properly authenticate users.
App-side flaws could also let attackers create "phantom clients" that services could not distinguish from real customers, potentially enabling free rides or charging sessions and exposing personal information.
This wasn't a one-off demo. A related USENIX Security 2024 paper from Tsinghua University researchers, including Shi, examined 17 rentable IoT devices and 92 apps.
The team identified 57 vulnerabilities in 28 products, with flaws in 24 enabling large-scale exploitation that could affect millions of users and devices. The paper says weak resource IDs are a key issue: attackers can infer device or user identifiers and combine them with access-control bugs to manipulate resources at scale.
Public chargers are sensitive because they combine payments, cellular connectivity, cloud management, and grid-facing infrastructure. While one broken charger is an inconvenience, thousands disabled at once would dent confidence amongst those already nervous about EV adoption.
Vendors confirmed the findings, and researchers say most issues were mitigated with their help. But rentable IoT operators still need stronger device identity, backend authorization, unique per-device credentials, locked-down debug ports, and abuse detection.