Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

EV charger hack

Researchers warn that many electric vehicle (EV) charging management systems are affected by vulnerabilities that could allow hackers to cause disruption, steal energy, or obtain driver information. 

The vulnerabilities were discovered by researchers working for SaiFlow, an Israel-based company that specializes in protecting EV charging infrastructure and distributed energy resources.

The security holes are related to the communications between the charging system management service (CSMS) and the EV charge point (CP), specifically the use of the Open Charge Port Protocol (OCPP). The flaws have been confirmed to impact the CSMS offered by multiple vendors.

The problem is related to the use of WebSocket communications by the OCPP and how it mishandles multiple connections. The protocol does not know how to handle more than one CP connection at a time and attackers could abuse this by opening a new connection to the CSMS. Another issue is related to what SaiFlow describes as “weak OCPP authentication and chargers identities policy”.

By opening a new connection to the CSMS on behalf of a charge point, the attacker causes the original connection to be closed or to become nonfunctional. 

According to SaiFlow, an attacker can exploit the weaknesses to launch a distributed denial-of-service (DDoS) attack that disrupts the electric vehicle supply equipment (EVSE) network. In addition, if an attacker can connect to the CSMS, they may be able to obtain drivers’ personal information, including payment card data, as well as other sensitive data, such as server credentials.

In certain configurations, if the charger approves unknown driver identities, an attacker may be able to charge their vehicle without paying for it, the security firm said. 

“Since the CSMS platforms are publicly accessible, it is possible for an attacker to hijack the connection remotely, without needing to gain credentials, access, or perform MITM attacks,” Ron Tiberg-Shachar, co-founder and CEO of SaiFlow, told SecurityWeek.

Tiberg-Shachar believes it may be possible for a somewhat inexperienced hacker to carry out an attack, even with limited resources. 

In order to conduct an attack, the hacker first needs to obtain a charger’s identity. This identity typically has a standard structure, making it easier for threat actors to enumerate the values of valid identifiers. 

In the next phase, they need to obtain information on which CSMS platform the charger is connected to. The expert noted that the CSMS URL can be discovered using services such as Shodan or SecurityTrails. 

SaiFlow has published a technical blog post describing the vulnerabilities and the attack scenarios. The company also provides recommendations for how these types of attacks can be mitigated. 

It doesn’t seem like the vulnerabilities can be easily patched by vendors. 

“We’ve approached many key players in the industry (and keep on doing so) to make them aware of our findings and how they can approach a solution,” Tiberg-Shachar said. “Additionally, we’ve made our solutions team available to support any specific technical questions, in an effort to reinforce vulnerabilities as quickly as possible. Our key goal is to support partners in scaling their charging infrastructure as quickly and safely as possible.”

Related: Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking

Related: Remote ‘Brokenwire’ Hack Prevents Charging of Electric Vehicles

Related: New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.