Charging Ahead with Risk: Unmasking Vulnerabilities in EV Payment Systems

Author: Denis Avetisyan

A new analysis reveals critical security flaws in ISO 15118 plug and charge technology, potentially exposing electric vehicle owners to malicious attacks during charging sessions.

Network traffic analysis, as captured in detailed session logs, reveals the communication patterns exploited during the charging attack, documenting the precise sequence of data exchanged.

This review details multiple vulnerabilities in ISO 15118 communication protocols, including a novel attack vector and proposes mitigation strategies.

While the ISO 15118 standard aims to streamline electric vehicle charging and payment, its security mechanisms present notable vulnerabilities. This paper, ‘Security Aspects of ISO 15118 Plug and Charge Payment’, comprehensively analyzes these controls, revealing shortcomings and detailing a previously unknown attack vector within the plug and charge functionality-allowing unauthorized charging at another vehicle’s expense. We demonstrate a proof-of-concept implementation alongside a proposed alternative authentication scheme designed for improved resilience and reduced certificate management overhead. Given these findings, how can the standard be effectively advanced to ensure secure and reliable fast charging for the growing electric vehicle infrastructure?

The Electric Current: Expanding Access, Expanding Attack Vectors

The proliferation of electric vehicles represents a significant shift in personal transportation, driven by mounting concerns over climate change and concurrent breakthroughs in battery technology and electric motor efficiency. Government incentives, including tax credits and emissions standards, further accelerate adoption rates globally, while increasingly stringent regulations on internal combustion engines provide additional impetus. This isn’t merely a niche trend; sales figures demonstrate a consistent and substantial rise in electric vehicle purchases, exceeding previous projections and signaling a fundamental transformation of the automotive industry. The convergence of environmental awareness, technological progress, and supportive policies positions electric vehicles not as a future possibility, but as a rapidly expanding presence on roadways worldwide.

The increasing adoption of electric vehicles extends the potential for cyberattacks beyond the vehicle itself, creating a significantly expanded attack surface. As charging stations become integral nodes connecting vehicles to the power grid, they introduce new vulnerabilities. These stations, often reliant on readily accessible communication protocols, can serve as entry points for malicious actors seeking to compromise vehicle systems, disrupt grid stability, or even gain access to sensitive user data. This interconnectedness means a vulnerability in a single charging station, or the software managing many, could have cascading effects, impacting a large number of vehicles and potentially destabilizing regional power networks. Therefore, securing this expanding ecosystem – encompassing charging hardware, communication networks, and backend data systems – is paramount to realizing the full benefits of electric vehicle technology.

Existing electric vehicle (EV) charging protocols prioritize ease of use and interoperability, often at the expense of comprehensive security measures. While designed for seamless energy transfer, these standards frequently lack robust authentication, encryption, and authorization features, creating vulnerabilities exploitable by malicious actors. A compromised charging station could potentially allow unauthorized access to a vehicle’s systems, manipulation of charging data for financial gain, or even disruption of the power grid itself. The convenience afforded by current charging infrastructure, therefore, presents a significant and growing cybersecurity risk as EV adoption increases, necessitating urgent attention to fortifying these critical components of the transportation ecosystem.

The proliferation of electric vehicles necessitates a thorough security assessment of the entire charging ecosystem, extending beyond the vehicle itself to encompass charging stations and the supporting power grid. This expanding attack surface presents numerous potential entry points for malicious actors, ranging from compromised charging station hardware and software to vulnerabilities in the communication protocols used for authentication and energy transfer. A comprehensive examination must identify weaknesses in these interconnected systems, considering not only data breaches and financial fraud but also the potential for physical disruption of the power grid or even vehicle manipulation. Addressing these vulnerabilities proactively is crucial, as the increasing reliance on electric vehicles amplifies the impact of any successful attack, demanding a shift toward secure-by-design principles and continuous monitoring of the charging infrastructure.

ISO 15118: A Standardized Foundation, But Is It Sufficient?

ISO 15118 is currently the predominant international standard governing communication between electric vehicles (EVs) and charging stations, with a primary objective of enabling secure and interoperable charging processes. This standardization extends beyond basic charging to encompass vehicle-to-grid (V2G) capabilities, allowing energy to flow both to and from the EV. Interoperability is achieved through a defined communication protocol, ensuring EVs from different manufacturers can utilize charging infrastructure from various providers. Security is paramount, with the standard mandating cryptographic methods to protect sensitive data exchanged during charging transactions and grid services. The standard’s architecture supports plug-and-charge functionality, automating payment and authentication processes, and facilitates advanced features like smart charging and load balancing.

ISO 15118 mandates the use of Transport Layer Security (TLS) for all communication between the electric vehicle (EV) and the charging station, ensuring data confidentiality and integrity throughout the charging process. TLS provides authentication of both parties and employs encryption algorithms to protect sensitive information, such as payment details and energy usage data. Furthermore, the standard leverages Internet Protocol version 6 (IPv6) for addressing and routing network packets. IPv6 offers a significantly larger address space than IPv4, accommodating the increasing number of connected devices, and includes features like stateless autoconfiguration and improved multicast capabilities, optimizing network performance and scalability within the charging infrastructure.

ISO 15118 supports Powerline Communication (PLC) as a means of establishing communication between the electric vehicle (EV) and the charging station. Specifically, the standard utilizes the HomePlug GreenPhy physical layer specification for this purpose. HomePlug GreenPhy enables data transmission over existing AC power cabling, eliminating the need for dedicated communication infrastructure. This approach leverages the existing electrical grid for data exchange, reducing installation costs and complexity. The technology operates in the 420-450 kHz frequency band and provides data rates suitable for secure charging communication as defined by ISO 15118.

The Service Discovery Protocol (SDP) within ISO 15118 enables the electric vehicle (EV) and the charging station to establish communication by exchanging necessary network addresses and connection parameters. Specifically, the EV utilizes SDP to query the charging station for its communication capabilities, including supported network layers and transport protocols. The charging station then responds with details regarding its IPv6 address, port numbers, and preferred connection modes – such as the specific HomePlug GreenPhy profile in use for Powerline Communication. This exchange ensures compatibility and allows the EV to initiate a secure and reliable connection to the charging station before any energy transfer begins, effectively automating the initial handshake process.

Exploiting the Protocol: Relay Attacks and Broken Signals

The Plug and Charge functionality, intended to automate payment for electric vehicle charging sessions, is vulnerable to a relay attack. This Plug and Charge Relay Vulnerability allows a malicious actor to intercept and relay communication between the electric vehicle and the charging station. By positioning themselves between these two endpoints, an attacker can effectively impersonate the vehicle and initiate unauthorized charging sessions, or conversely, impersonate the charging station to fraudulently bill a different vehicle for the energy consumed. This attack does not require physical access to the vehicle or the charging station itself, only proximity sufficient to relay the communication signals.

Man-in-the-Middle (MitM) attacks targeting Electric Vehicle Supply Equipment (EVSE) communication protocols can successfully compromise the authentication phase of charging sessions. These attacks function by intercepting and potentially modifying data exchanged between the vehicle and the EVSE, allowing a malicious actor to impersonate either party. Successful exploitation of this vulnerability enables attackers to bypass authentication checks, potentially injecting fraudulent transaction details such as inflated energy costs or incorrect billing addresses. The compromised communication channel permits the attacker to effectively relay and alter messages, making it difficult for either the vehicle or the charging station to detect manipulation during the handshake process. This poses a significant risk to both vehicle owners and charging station operators, leading to financial loss and potential service disruption.

The HomePlug GreenPhy communication standard, utilized for vehicle-to-grid (V2G) communication, is susceptible to the Brokenwire Attack. This attack exploits the physical layer signaling of HomePlug GreenPhy by injecting targeted noise to disrupt the communication signal. Specifically, the attacker modulates interference onto the power line, effectively jamming the communication between the electric vehicle (EV) and the charging station. The Brokenwire attack does not require decryption or authentication bypass; signal disruption is sufficient to cause communication failure, resulting in a denial-of-service condition where the EV cannot properly authenticate or initiate a charging session. This vulnerability stems from the lack of robust signal integrity checks within the HomePlug GreenPhy protocol, making it possible to selectively disrupt communication without triggering error detection mechanisms.

Secure communication establishment in EV charging relies on Signal Level Attenuation Characterization (SLAC) and shared cryptographic keys, notably the Network Management Key (NMK). SLAC assesses signal strength to validate communication pathways, while the NMK authenticates charging sessions. However, these mechanisms introduce potential vulnerabilities; compromised or manipulated signal levels can enable unauthorized communication, and exposure of the NMK allows for session hijacking. Our research demonstrates a proof-of-concept attack exploiting weaknesses in both SLAC and NMK protection, allowing fraudulent charging of one vehicle while incorrectly billing another for the energy consumed. This attack highlights the risk of combining vulnerabilities within the communication handshake process and underscores the need for robust signal validation and secure key management practices.

Fortifying the Grid: Authentication, Location, and Vigilance

The security of electric vehicle (EV) charging hinges significantly on the validity of digital certificates used for authentication, and maintaining this validity requires diligent use of Certificate Revocation Lists (CRLs). These lists function as a real-time blacklist, detailing certificates that have been compromised or are no longer trustworthy. Without regularly updated CRLs, a malicious actor gaining control of a legitimate certificate could impersonate a charging station, potentially gaining unauthorized access to vehicle systems or disrupting the charging network. The implementation of CRLs allows the charging infrastructure to proactively identify and reject connections using revoked certificates, thereby creating a crucial defensive barrier against evolving cyber threats. This proactive approach to certificate management is essential for maintaining the integrity and reliability of the growing EV charging ecosystem, ensuring a secure experience for users and preventing widespread exploitation of vulnerable systems.

Integrating geographical coordinates into the electric vehicle (EV) charging authentication process introduces a powerful layer of security against fraudulent access points. This method verifies a charging station’s physical location against a known, trusted database, ensuring that communication originates from a legitimate source and not a malicious imposter. By cross-referencing the station’s reported coordinates with its registered location, the system can effectively identify and block rogue stations attempting to intercept or manipulate the charging process. This location-based verification not only strengthens security but also provides a valuable tool for detecting and mitigating potential threats in real-time, contributing to a more reliable and secure EV charging infrastructure.

A significant advancement in electric vehicle charging security involves shifting authentication protocols to leverage the vehicle manufacturer’s backend infrastructure. Traditional methods, often reliant on simpler, less robust systems, are increasingly vulnerable to exploitation. By integrating directly with the manufacturer’s secure servers, a multi-factor authentication process can be implemented, verifying both the charging station and the vehicle’s credentials. This approach not only strengthens the identification process but also enables remote monitoring and control, allowing manufacturers to quickly revoke access to compromised stations or vehicles. The implementation of this system provides a dynamic and adaptable security layer, far exceeding the capabilities of static or locally managed authentication, and offers a pathway to proactive threat mitigation within the expanding EV charging network.

Effective and secure communication within electric vehicle (EV) charging infrastructure depends critically on the reliable identification of charging stations and the protocols governing data exchange. Recent security research demonstrates a concerning vulnerability: a simulated attack achieved a 100% success rate by exploiting multiple weaknesses in current systems, emphasizing the urgent need for strengthened defenses. This attack leveraged unique identifiers, such as the Media Access Control (MAC) address, as the Charging Station Identifier, and highlighted how vulnerabilities in these identifiers, combined with weaknesses in protocols like Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA), can be exploited to compromise communication. Importantly, the attack introduced a detectable communication delay, suggesting that with appropriate monitoring systems, such intrusions could be identified and mitigated before significant damage occurs, underscoring the importance of proactive security measures and continuous system vigilance.

The exploration of ISO 15118’s security reveals a fascinating interplay between intended functionality and inherent weakness. One perceives a designed system, striving for seamless authentication, yet riddled with potential access points for malicious actors-a predictable outcome when complexity exceeds rigorous testing. As Paul Erdős once stated, “A mathematician knows how to solve a problem that he knows how to state.” This sentiment resonates deeply with the presented research; the vulnerabilities weren’t flaws despite the system’s sophistication, but because of it. The very mechanisms intended to streamline plug and charge create vectors for man-in-the-middle attacks, proving that understanding a system’s boundaries often requires probing-and even exceeding-those limits. The proposed mitigations are not merely patches, but a testament to the ongoing dance between creation and deconstruction.

What Lies Ahead?

The presented work exposes ISO 15118 not as a flawlessly engineered protocol, but as a complex system revealing its inherent limitations under scrutiny. Each identified vulnerability isn’t simply a ‘bug’; it’s a confession – a testament to the compromises made in the pursuit of convenience and interoperability. The proposed mitigations offer temporary relief, patching symptoms rather than addressing the fundamental tension between open communication and robust security inherent in any public-facing infrastructure. A truly resilient system will necessitate a shift in philosophy.

Future investigations should abandon the assumption of inherent trust within the charging ecosystem. The current reliance on TLS certificates, while a necessary baseline, proves insufficient against determined attackers. Exploring decentralized authentication methods, perhaps leveraging blockchain technologies or zero-knowledge proofs, could offer a pathway towards a more secure, albeit more complex, paradigm. The challenge lies not merely in securing the communication channel, but in verifying the intent of each participant.

Ultimately, the pursuit of secure electric vehicle charging is a continual game of cat and mouse. Each defensive measure will inevitably provoke new offensive strategies. The true measure of success won’t be the elimination of all vulnerabilities – an impossible task – but the establishment of a system capable of rapidly identifying, analyzing, and adapting to emerging threats. The system will be broken; the question is whether it can be broken, understood, and rebuilt faster than it can be exploited.

Original article: https://arxiv.org/pdf/2512.15966.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

The Electric Current: Expanding Access, Expanding Attack Vectors

ISO 15118: A Standardized Foundation, But Is It Sufficient?

Exploiting the Protocol: Relay Attacks and Broken Signals

Fortifying the Grid: Authentication, Location, and Vigilance

What Lies Ahead?

See also: