Read time:00:10
Release date:10.1.2025
EV charging infrastructure is rapidly becoming critical infrastructure, deeply integrated with the power grid, payment systems, and user data. As a result, the stakes of any cyberattack are rising: disrupted services, privacy breaches, and even physical accidents or large‑scale grid disturbances.
Cybersecurity Risks in EV Charging:
What Manufacturers, Operators and Municipalities Must Know
As EV adoption accelerates, public and private sectors are racing to build charging infrastructure. But one critical aspect is often overlooked: and that is cybersecurity. EV chargers are now part of a complex digital ecosystem - interacting with vehicles, cloud systems, payment platforms, and even the national power grid.
A vulnerable charging station is more than an inconvenience - it’s a potential entry point for attackers targeting critical infrastructure.
Key Threats to EV Charging Ecosystems
- Protocol & Firmware Vulnerabilities
Some EV chargers are exposed to risks like command injection and session hijacking due to outdated firmware or insecure implementations of communication standards like OCPP and ISO 15118. - Backend System Exploits
Compromised Charging Point Management Systems (CPMS) can allow full remote control, customer data theft, and service outages. - Cloud & App Insecurity
Misconfigured APIs, hardcoded credentials, and unencrypted data flows expose mobile apps and cloud backends to abuse. - Network Intrusions
Without network segmentation and strong encryption, attackers can pivot between chargers, backend servers, and other critical systems. - Data Privacy Risks
Location history, payment records, and user credentials are all at risk if not properly encrypted and access-controlled.
EV charger manufacturers need to embrace secure-by-design development:
- Use digitally signed firmware and enable secure boot
- Deploy tamper-proof hardware with embedded secure elements
- Enforce TLS 1.3 encryption and certificate-based authentication
- Remove all default or hardcoded credentials
- Join vulnerability disclosure programs (e.g. Pwn2Own Automotive)
TIP: Consider using ISO 15118 and OCPP 2.0.1 as your minimum standard for new products and retire legacy protocols like OCPP 1.6.
What Local Municipalities and Public Operators Must Do
Municipal and government-backed charging networks carry additional risks - impacting citizens, traffic and the energy grid. A successful cyberattack on EV charging stations could disrupt transportation or emergency services, impact traffic flow or billing systems, expose citizen data or even interfere with grid stability. Therefore, operators must:
- Enforce network segmentation (use VLANs, DMZs and firewall policies)
- Enable MFA (multi-factor authentication) and RBAC (role-based access control) across admin interfaces
- Implement real-time threat monitoring with SIEM and anomaly detection tools
- Maintain consistent patching management for all systems and firmware
- Enforce end-to-end encryption (TLS 1.3+) and mutual certificate-based authentication
- Align with relevant regulations and standards, such as GDPR (data protection), ISO/IEC 27001 (security management), ISO 15118 (secure charger-vehicle comms), and NIS2 (critical infrastructure cybersecurity)
- Develop incident response plans tied to local emergency services and utility companies
TIP: Public-sector RFPs for EV infrastructure should include cybersecurity requirements from day one - not as an afterthought.
Why Cities and Local Governments Should Care
In case of questioning why the above actions and precautions are necessary, here is the list of most important reasons why operators should real the above into consideration:
- Public Safety: Over‑ or under‑charging could trigger fires and/or traffic hazards.
- Cascading Infrastructure Risk: A coordinated hack could destabilize traffic signals, transit, or healthcare facilities.
- Financial & Legal Liability: Breaches invite GDPR fines, lawsuits, and loss of public trust.
- National & Energy Security: EV infrastructure is now part of the critical‑energy landscape.
Recent Security Incidents and Identified Vulnerabilities (2023-2025)
These real-world examples (all from the past 18 months) highlight how real and urgent the threat is:
January 2025 - Tesla Wall Connector exploitation at Pwn2Own Tokyo
At the Pwn2Own Automotive 2025 competition in Tokyo, security researchers from teams like PCA Cyber Security (formerly PCAutomotive), Synacktiv, and PHP Hooligans demonstrated multiple vulnerabilities in Tesla’s Wall Connector. Exploits about blog/pwn2own automotive 2025 tesla ev charger exploits take the spotlight on day two included a numeric-range flaw and an attack via the charging connector itself, leading to full remote code execution. Synacktiv's team notably achieved this in just 18 minutes using a chain of vulnerabilities.
November 2024 - CITA Smart Data Breach Affects 116,000 Users
In November 2024, a significant data breach exposed approximately 116,000 records about leaked ev charging station database from multiple global Electric Vehicle (EV) charging network operators. The breach was initially attributed to Tesla; however, it was later clarified that the data originated from a third-party development company responsible for hosting and maintaining information on Tesla’s EV charging stations. The compromised data included sensitive information such as full names, locations, payment details, and vehicle information
June 2024 - Critical Wallbox Vulnerability
In June 2024, a critical vulnerability, [CVE-2023-46359](https://www.cve.org/CVERecord?id=CVE-2023-46359), was discovered about [cve 2023 46359](https://www.cve.org/CVERecord in the Hardy Barth cPH2 Wallbox. This OS command injection flaw allowed unauthenticated remote attackers to execute arbitrary commands on the system. Exploit code was reportedly traded on dark-web forums, posing a significant risk to unpatched devices.
April 2024 - Six Zero-Day Vulnerabilities in OCPP
In April 2024, researchers identified six zero-day vulnerabilities in Open Charge Point Protocol (OCPP) implementations about article/10.1007/s10207 025 01055 7. These flaws exposed EV charging systems to risks such as backend manipulation, fake session injection, and remote tampering. The vulnerabilities underscored the need for enhanced security measures in OCPP communications.
February 2024 - UK Halts Sales of Spanish EV Chargers
In February 2024, the UK government suspended the sale of imported Spanish EV chargers about lifestyle/cars/electric car charger removed cybersecurity fears hack warning, including models from Wallbox, due to cybersecurity concerns. The Office for Product Safety and Standards (OPSS) determined that these models did not meet required cybersecurity standards, posing a threat to national energy infrastructure.
Why Action Is Critical
With Vehicle-to-Grid (V2G) pilots expanding across Europe and Asia, cybersecurity researchers warn that attackers could manipulate charging sessions at scale to disrupt grid stability. While not yet directly addressed in legislation, this remains a critical emerging risk to monitor.
EV charging infrastructure is now deeply linked to:
- Energy distribution
- Mobility services
- National infrastructure resilience
- Personal data protection
Every unsecured charger is a possible attack vector. Every breach damages public trust. For cities, an unprotected EV network could disrupt transportation, trigger outages, or compromise citizen data.
This is no longer about theoretical threats. The attacks are happening.
Emerging Technical Threats
While regulations catch up, researchers continue to uncover new technical risks in EV charging infrastructure. Early 2025 studies highlight how both the physical layer and the network protocols behind chargers can become attack surfaces:
- Weak OCPP implementations – A May 2025 peer-reviewed study in the International Journal of Information Security about article/10.1007/s10207 025 01055 7 showed that unencrypted WebSocket connections and poor session handling in OCPP 1.6 expose chargers to risks such as session hijacking, denial-of-service, and firmware theft
- AI for intrusion detection - New federated learning–based intrusion detection systems demonstrated about html/2506 in early 2025 achieve >98% accuracy in spotting malicious traffic against EVSE, while preserving data privacy across operators.
- Physical-layer exploits (PORTulator) - Researchers unveiled about html/2506 a proof-of-concept hardware implant that can be inserted into the charging connector itself. By spoofing authentication signals, it can cause denial-of-service or even physical damage to both chargers and vehicles.
- Multimodal detection frameworks - Advanced AI models are being trained about html/2506 on both network traffic and kernel-level data, showing that multi-layer visibility is key to detecting stealthy attacks against EV charging systems.
Takeaway: 2025 research also underscores that threats are no longer theoretical - attack surfaces now span from the cloud to the charging cable itself.
Action Plan for Stakeholders
| Stakeholder | What they need to do now (Immediate Priorities) |
| Manufacturers |
Build security into the product from the start. This includes:
|
| Operators (Cities) |
Protect the operational side by:
|
| Regulators | Improve enforcement by:
|
| Utilities |
Ensure the EV charging infrastructure doesn’t threaten grid stability by:
|
| EV Drivers / Public |
Encourage users to protect themselves by:
|
Conclusions
EV charging infrastructure is essential to achieving our decarbonization goals - but it’s increasingly becoming a prime target for cyber threats. To stay ahead of these risks, manufacturers must invest in secure-by-design development, informed by real-world threat intelligence and continuous security validation. Preliminary EV charger penetration testing about services/penetration testing/ev charger penetration testing conducted by PCA Cyber Security can help uncover vulnerabilities early - whether during development or even after deployment - ensuring that any gaps are identified and mitigated before they can be exploited.
In addition, PCA’s product-focused threat intelligence about services/threat intelligence/product security threat intelligence services provide tailored insights into emerging vulnerabilities and attacker behaviour specific to EV charging systems.
Without timely, coordinated defences, local municipalities face the risk of service disruptions, public safety incidents, and cascading impacts across critical infrastructure. The time to build secure, resilient, and trustworthy EV infrastructure is now - not after attackers find the flaws for us.
The PCA Cyber Security Threat Intelligence team has recently conducted in-depth research on EV charger security, and the full report is available upon registration through our website form. This report offers further insights into the risks and attacker techniques targeting charging infrastructure.
Article tags
ev charger security
automotive cybersecurity
financial transaction security
Latest Posts
Popular tags
automotive cybersecurity
pcautomotive
pcacybersecurity
automotive threat intelligence
embedded device security
penetration testing
threat intelligence
ev charger security
financial transaction security
william bartram