Background
Plug-n-Charge (PnC) is a feature of today’s EVs and chargers that identifies the vehicle owner’s account for billing purposes. Due to financial risk, these systems must be scrutinized for security, but there is a gap in the analysis of the communications between the vehicle and the charger. A reliable method of tampering with these messages would enable further security research in this area.
Approach
On review, the applicable ISO standard 15118 appeared weak to machine-in-the-middle (MitM) attacks, because it requires EVs to rely on self-reported measurements from each charger. The objective of this research was to determine if this weakness is exploitable, and if so, produce a reliable method of exploiting it to expose communications for further study. First, a benchtop simulation was created to prototype the attack in a laboratory setting. Then, the attack was demonstrated against a real EV and charger owned by Divisions 10 and 3, respectively.
Accomplishments
The project successfully confirmed the existence of this vulnerability with a working proof-of-concept (PoC) exploit. The PoC has since been confirmed to be effective against multiple vehicles and chargers, suggesting the vulnerability is widespread. Due to potentially severe public impact, the root cause was privately disclosed to ISO through CISA with recommendations to mitigate follow-up attacks. The newly discovered MitM attack is expected to remain relevant for further study of this and other vulnerabilities.
Publications
Common Vulnerabilities & Exposures (CVE) advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-25-303-01.