Researchers Demo Flaw That Keeps EVs Locked to Charging Stations

March 13, 2023
CyberThreat Research Lab
Researchers Demo Flaw That Keeps EVs Locked to Charging Stations

As the electric vehicle (EV) market rapidly grows, so do the cybersecurity risks associated with EVs. While there have been numerous security incidents related to EVs themselves, it is equally important to consider that electric vehicle supporting equipment (EVSE) also carries potential vulnerabilities that might be overlooked. 

During VehicleSec 2023, researchers Shangru Song, Hetian Shi, Ruoyu Lun, Yunchao Guan, Xiang Li, Jihu Zheng, and Jianwei Zhuge demonstrated a new attack approach involving an EV’s charging pile or charging station. Through their research, they were able to forcibly maintain the connection between an EV and a charging pile, an attack scenario they named the Charging Pile Ransom Attack (CPRA). According to their findings, this scenario enables potential attackers to detain vehicles remotely. 

Attack flow 

As a security feature, charging connectors typically lock onto vehicles when charging. However, the CPRA scenario leverages this feature to hold vehicles to their charging stations.  

The attack flow consists of four parts: 

  1. Stop the charging process. 
  2. Use another device, such as a mobile phone, to issue a charging request.
  3. Send a ransom message to the victim. 
  4. Terminate the charging session upon receiving the ransom.  

The first step in the attack flow involves halting the charging process to give attackers an opening to initiate charging through their own device. There are two options that attackers can take to do this.

The first option requires the attackers to crack a charging pile and issue commands on behalf of the pile, disconnecting it from the server. Attackers then obtain the victim's contact information by intercepting the conversation between the charging pile and the central charging platform, which they can also use to communicate with the owner to send a ransom message. This is a notable tactic that leaves users particularly vulnerable. As a second option, attackers can use phishing or some other tactic to obtain a victim's credentials first and then impersonate them to issue a stop charging command. 

The second step of the attack involves the attackers enabling the power outlet from their own device. Shangru Song and his co-researchers point out two possible ways for attackers to do this. The first is simple, as it involves charging piles that don’t require validation so that potential attackers can charge the vehicle upon request. The second way requires attackers to use the credentials that they had obtained previously to impersonate the victim and issue a charging command. 

The last two steps of the attack involve sending a ransom note via the stolen user credentials and then releasing the vehicle once the victim has met the demand. 

Shangru Song and his co-researchers have also found a way to bypass the mechanism that some EVs use to detect a vehicle’s charging status and prevent deadlocks. To enforce the bypass, the researchers designed a physical plug-in that can be used to spoof the said signal. When this plug-in is used, the EV is unable to detect any abnormalities in the charging process and will assume that everything is operating normally. As a result, the charger will remain connected even though the charging process has been halted.

The results 

Shangru Song and his co-researchers succeeded in showing that the Volkswagen ID.4 was vulnerable to this attack, even without their custom plug-in. On the other hand, the researchers were able to successfully conduct the attack on the Roewe RX5 and Tesla Model S using their plug-in. It is worth noting that while these models have been identified as being vulnerable to this particular attack, other models might be vulnerable as well. 

As a result of their tests, Shangru Song and his co-researchers discovered that CPRA is a significant concern for third-party charging piles in China, including popular brands such as TELD and Star Charge. These charging piles are often used by EV drivers who do not have access to a private charging station, making them particularly vulnerable to cyberattacks that involve public ones. Furthermore, a charging process that lacks proper design might result in the worst-case scenario, in which overcharging could overheat the batteries and set them on fire, should a potential attacker not release the vehicle in time. In sum, this research demonstrates how EVSE is a potential attack vector that should not be overlooked as the automotive industry continues to work on improving its cybersecurity. Thankfully, the researchers discovered the attack scenarios in their studies and have already reported the flaws. 

VicOne 

VicOne's solutions, which can detect exploits and malicious communication to and from the charging station from the outset, are well-positioned to address the risks associated with CPRA. These solutions can also monitor the transaction between the server (the central charging platform) and other devices, such as users' mobile phones and charging piles. VicOne's security agent, which is integrated into the charging station, can not only protect the charging pile but also transmit data to the charging station management system (CSMS). Combined with xNexus' analytics engine, VicOne can also detect unusual behavior. 

 One example of such behavior is a car owner stopping the charging process shortly after it has been initiated. This is a key indicator of a potential CPRA, as the attacker might be attempting to take control of the charging process in order to extort the victim for a ransom. Additionally, xNexus can also detect when a new device is used to issue charging commands, as it will have a different device number or IP address from the original device used by the vehicle owner.  

One of the key benefits of xNexus is its ability to detect unusual behavior, such as a car owner stopping the charging process shortly after it has been initiated. This is a key indicator of a potential CPRA, as the attacker might be attempting to take control of the charging process in order to extort the victim for a ransom. Additionally, xNexus can also detect when a new device is used to issue charging commands, as it will have a different device number or IP address from the original device used by the vehicle owner.  

By leveraging xNexus and our security agent, VicOne can help prevent such an attack and ensure that EVs and their supporting equipment remain secure against cyberthreats. This can provide peace of mind for both EV owners and charging pile providers, as they can rest assured that their vehicles and infrastructure are being protected by a reliable and effective security solution.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us