Electric vehicles are reshaping mobility. But the infrastructure enabling them is being secured with the wrong mental model.
Most organizations still treat EV chargers as a device category: assess the hardware, apply a patch cycle, move on. That framing made sense when chargers were standalone units. It no longer reflects reality. Today, a single charging session involves interactions among charger hardware, the vehicle's onboard systems, a mobile application, a payment platform, and a cloud-based management backend. A vulnerability in any one of those layers can affect the others.
The strategic error is treating charger security as a separate workstream from broader automotive and connected infrastructure security. It is not separate. It is the same problem, extended.
Figure 1. An illustration of the EV ecosystem, where vehicles, chargers and platforms operate as a connected network.
EV charging is no longer a peripheral device problem
The traditional framing of EV charger security focuses on the device: firmware integrity, physical tamper resistance, and network segmentation at the unit level. Those controls matter. But they address only one node in a system that now spans multiple layers.
A modern charging session depends on all of the following operating correctly and securely:
- Charger hardware and firmware handling power delivery and communication
- Vehicle onboard systems authenticating and managing the session
- Mobile applications used for payment, session control, and account management
- Open Charge Point Protocol (OCPP) implementations connecting chargers to network operators
- Cloud-based charge management systems handling billing, grid signals, and remote configuration
A weakness in any one of these layers creates exposure across the others. An attacker who compromises the cloud management backend can push malicious firmware to chargers at scale. An attacker who exploits the OCPP implementation can redirect sessions or intercept commands. An attacker who targets the mobile app can harvest credentials that unlock physical access.
This is not a device security problem. It is an infrastructure security problem.
What the attack surface actually looks like
EV charging infrastructure exposes exploit paths across both user-facing interfaces and underlying hardware and protocol layers. The two categories are distinct in method but connected in consequence.
User-facing attack vectors target the interaction layer between drivers and charging infrastructure:
- Quishing (fake QR codes): Attackers replace legitimate QR codes at charging stations with fraudulent ones, redirecting drivers to spoofed payment pages to harvest credentials or payment data.
- Account hijacking: Exploiting vulnerabilities in charging apps to steal user credentials and gain unauthorized access to active charging sessions.
- Station ransomware: Locking charger interfaces or backend management systems until a ransom is paid, disrupting service continuity.
- Data leaks: Exposing sensitive user or operational data stored in connected backend platforms.
Protocol and hardware-level attack vectors target the systems beneath the interface:
- OCPP exploitation: Weaknesses in OCPP implementations allow attackers to redirect chargers to unauthorized servers and take control of charging sessions.
- Signal manipulation: Physical add-ons that interfere with charger-to-vehicle communication and inject malicious commands into the charging process.
- Firmware rollback: Forcing devices to revert to outdated firmware versions that contain known, unpatched vulnerabilities.
- Buffer overflow: Sending crafted data to trigger memory errors and enable remote code execution (RCE) on charger hardware.
- Physical cable attack: Accessing the Single-Wire CAN (SWCAN) interface through the charging cable to communicate directly with vehicle hardware.
- Numeric range input flaw (CWE-839): Exploiting integer handling errors to bypass security controls and take over or crash devices.
These vectors differ in method, but they share one characteristic: they expose weaknesses that span both digital interfaces and hardware-protocol layers. No single control addresses all of them.
Pwn2Own Automotive 2026 changed the conversation
For organizations still treating EV charger risk as theoretical, Pwn2Own Automotive 2026 is the clearest available evidence to the contrary. Held in Tokyo in January 2026 at the Automotive World conference, the competition concluded with 76 unique zero-day vulnerabilities disclosed across three days.
EV chargers were a central target category, not a sideshow. Key findings from the event included:
- Alpitronic HYC50 compromised via out-of-bounds write: The Fuzzware.io team exploited a single memory flaw to achieve full control of the Level 3 charger, demonstrating that high-performance charging infrastructure carries the same classes of vulnerability as lower-tier devices.
- Autel MaxiCharger exploit chain: The same team chained additional vulnerabilities against the Autel MaxiCharger, enabling code execution and charging signal manipulation.
- Multiple Level 2 charger exploits: Teams including Team DDOS, 299, Petoworks, and Compass Security successfully exploited ChargePoint, Grizzl-E, and Phoenix Contact chargers, several using signal manipulation techniques targeting the charger-to-vehicle communication layer.
The volume of successful exploits across different manufacturers and charger classes signals a systemic issue, not isolated product flaws. Charging infrastructure now belongs inside the core automotive threat model.
Why this matters to OEMs and Tier 1 suppliers
EV charging infrastructure is not a third-party edge case for automotive manufacturers. It is a direct extension of the connected vehicle ecosystem, and vulnerabilities in charging systems carry consequences that reach into vehicle operations, user trust, and brand exposure.
Three implications stand out for OEMs and Tier 1 suppliers:
- Service continuity is at risk. Ransomware targeting charge management backends, session hijacking through OCPP weaknesses, and firmware manipulation can disrupt charging availability at scale, affecting both fleet operators and individual users.
- Vehicle security and charger security are not separable. Exploit paths that traverse the charger-to-vehicle interface, such as physical cable attacks targeting SWCAN or signal manipulation techniques, mean that charger vulnerabilities can translate directly into vehicle-level risk.
- Third-party integrations extend the attack surface. Backend platforms, payment processors, and grid management systems all introduce dependencies. Each integration is a potential entry point if security validation does not extend across the full stack.
The practical takeaway
The question is no longer whether EV charging infrastructure can be exploited. Pwn2Own Automotive 2026 answered that. The question now is whether security programs are treating it with the same rigor applied to the rest of the connected vehicle ecosystem.
That means extending security validation beyond the charger unit to cover firmware update pipelines, OCPP implementations, mobile application interfaces, and cloud management platforms. It means continuous testing, not point-in-time assessments. And it means recognizing that charger security and vehicle security share a threat model.
For a deeper view into how this attack surface is evolving, VicOne's 2026 Automotive Cybersecurity Threat Report examines the trends shaping connected vehicle and charging infrastructure risk across the industry.
About the Author
Florengen Arvin Parulan is an Auto Threat Researcher at VicOne, specializing in investigating automotive cybercrime and identifying critical vulnerabilities within CAN Bus systems. With a professional foundation built on years of rigorous automotive testing and quality assurance, Arvin uniquely bridges the gap between traditional vehicle engineering and advanced cybersecurity. His research is dedicated to securing the future of connected mobility by uncovering and mitigating emerging risks before they reach the road.
