Researchers from the University of Oxford published details of a vulnerability in the Combined Charging System that has the potential to abort charging.
The Combined Charging System (CCS) is one of the plethora of standards in the EV charging world, and allows DC fast charging.
Different plug types are used for the US and EU regions (dubbed Combo 1 and 2 respectively) but both use the same underlying technology. As well as taking in all that lovely charge, the EV and the Electric Vehicle Supply Equipment (EVSE) swap messages concerning how charged things are, the maximum possible current and so on. The link used for the communication is provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology.
The researchers created a lab testbed that consisted of the same HPGP modems used in most EVs and charging stations at the victim end, and a software defined radio replete with a 1W RF amplifier on an antenna the team made themselves (with which to carry out the attack).
They also took the kit out into the real world and tried it in test sites on seven vehicles from different manufacturers and 18 DC high-power chargers.
The results make for grim reading. The off-the-shelf gear managed to abort the charging process from up to 10 meters away from the target with a power budget of 10mW. The closer one got, the less power was needed to cause a 100 percent packet loss. When outside the lab, the team stuck to a maximum output power of 1W to avoid breaking any national transmission regulations.
Before EV vehicle owners panic about their beloved trundle-wagons being targeted in this way, the attack only interrupts the charging (a victim would need to simply disconnect and reconnect their vehicle.) Researchers found no evidence of any long-term damage caused by the attack. They also reckoned that home AC chargers (which use a different communication standard) were also unlikely to be affected, although cautioned that things could change as home chargers received ISO 15118 support.
However, an unexpectedly uncharged battery could be more than an inconvenience for some users (such as the emergency services) and the wireless nature of the attack makes it stealthier than simply hitting the off button or snipping a cable.
The research is a reminder of the ever-widening attack surface afforded by smart vehicles, not just through the onboard chippery, but also via the connection used to charge the growing fleet of EVs in the world. The team has made a preprint of its paper available here [PDF], with parts redacted for the sake of responsible disclosure. ®