Peril at the Plug: Investigating EV Charger Security and Safety Failures

No ratings

Presented at Black Hat USA 2025 by

Jonathan Andersson

Thanos Kaliyanakis

The past few years have seen a rapid increase in Level 2 EV charging equipment (EVSE) options for consumers. Along with choosing the right equipment, EV owners face installation decisions, such as hiring specialized installers or doing it themselves. However, many consumers are unaware of the cybersecurity risks inherent in all chargers. Vulnerability bounty programs have shown that even simple remote attacks can take full control of these devices. These challenges create an environment of safety risks that can endanger life and property. Our research examines the real-world consequences of compromised EVSE through the destructive testing of seven different products. We begin by reviewing common remote attacks found across various EV chargers and disclose several recently identified zero-day vulnerabilities. We then introduce a testing methodology simulating a worst-case scenario where a malicious actor bypasses safety mechanisms to cause maximum damage. The results include video footage of the tests, showcasing any destruction, collateral damage, and latent hazards. Lastly, we offer recommendations for enhancing safety through security best practices, hardware design, and implementation. Attendees will gain insight into the current state of EVSE security, how to assess EVSE safety mechanisms and the real-world dangers of using EVSE with safety features that can be bypassed via compromise.