Table of Contents
Fetching ...

Brokenwire : Wireless Disruption of CCS Electric Vehicle Charging

Sebastian Köhler, Richard Baker, Martin Strohmeier, Ivan Martinovic

TL;DR

Brokenwire identifies a practical EMC-based vulnerability in CCS charging by exploiting the HomePlug Green PHY CSMA/CA channel, enabling wireless preamble injection to abort charging sessions with minimal power and short proximity. The study validates the attack in both lab and real-world deployments (8 EVs, 20 EVSE) and demonstrates ranges up to 47 m with sub‑1 W power, with cross‑floor and drive‑by feasibility. It compares the approach to broadband jamming, showing preamble injection is orders of magnitude more effective, and discusses mitigations spanning electromagnetic hardening, software adjustments, and noise-floor strategies. The findings have immediate implications for millions of vehicles and fleet charging operations, motivating industry disclosure and targeted defenses to protect critical charging infrastructure and vehicle-to-grid capabilities.

Abstract

We present a novel attack against the Combined Charging System, one of the most widely used DC rapid charging technologies for electric vehicles (EVs). Our attack, Brokenwire, interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack requires only temporary physical proximity and can be conducted wirelessly from a distance, allowing individual vehicles or entire fleets to be disrupted stealthily and simultaneously. In addition, it can be mounted with off-the-shelf radio hardware and minimal technical knowledge. By exploiting CSMA/CA behavior, only a very weak signal needs to be induced into the victim to disrupt communication - exceeding the effectiveness of broadband noise jamming by three orders of magnitude. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. We first study the attack in a controlled testbed and then demonstrate it against eight vehicles and 20 chargers in real deployments. We find the attack to be successful in the real world, at ranges up to 47 m, for a power budget of less than 1 W. We further show that the attack can work between the floors of a building (e.g., multi-story parking), through perimeter fences, and from `drive-by' attacks. We present a heuristic model to estimate the number of vehicles that can be attacked simultaneously for a given output power. Brokenwire has immediate implications for a substantial proportion of the around 12 million battery EVs on the roads worldwide - and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and crucial public services, as well as electric buses, trucks and small ships. As such, we conducted a disclosure to the industry and discussed a range of mitigation techniques that could be deployed to limit the impact.

Brokenwire : Wireless Disruption of CCS Electric Vehicle Charging

TL;DR

Brokenwire identifies a practical EMC-based vulnerability in CCS charging by exploiting the HomePlug Green PHY CSMA/CA channel, enabling wireless preamble injection to abort charging sessions with minimal power and short proximity. The study validates the attack in both lab and real-world deployments (8 EVs, 20 EVSE) and demonstrates ranges up to 47 m with sub‑1 W power, with cross‑floor and drive‑by feasibility. It compares the approach to broadband jamming, showing preamble injection is orders of magnitude more effective, and discusses mitigations spanning electromagnetic hardening, software adjustments, and noise-floor strategies. The findings have immediate implications for millions of vehicles and fleet charging operations, motivating industry disclosure and targeted defenses to protect critical charging infrastructure and vehicle-to-grid capabilities.

Abstract

We present a novel attack against the Combined Charging System, one of the most widely used DC rapid charging technologies for electric vehicles (EVs). Our attack, Brokenwire, interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack requires only temporary physical proximity and can be conducted wirelessly from a distance, allowing individual vehicles or entire fleets to be disrupted stealthily and simultaneously. In addition, it can be mounted with off-the-shelf radio hardware and minimal technical knowledge. By exploiting CSMA/CA behavior, only a very weak signal needs to be induced into the victim to disrupt communication - exceeding the effectiveness of broadband noise jamming by three orders of magnitude. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. We first study the attack in a controlled testbed and then demonstrate it against eight vehicles and 20 chargers in real deployments. We find the attack to be successful in the real world, at ranges up to 47 m, for a power budget of less than 1 W. We further show that the attack can work between the floors of a building (e.g., multi-story parking), through perimeter fences, and from `drive-by' attacks. We present a heuristic model to estimate the number of vehicles that can be attacked simultaneously for a given output power. Brokenwire has immediate implications for a substantial proportion of the around 12 million battery EVs on the roads worldwide - and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and crucial public services, as well as electric buses, trucks and small ships. As such, we conducted a disclosure to the industry and discussed a range of mitigation techniques that could be deployed to limit the impact.
Paper Structure (30 sections, 5 equations, 15 figures, 1 table)

This paper contains 30 sections, 5 equations, 15 figures, 1 table.

Figures (15)

  • Figure 1: Europe's largest high-power charging hub with 26 CCS charging stations that allow a total of 52 vehicles to be charged concurrently enbw_kamen.
  • Figure 2: Examples of current electric vehicles now following the Combined Charging System standard and implementing the high-level communication using PLC, which makes them vulnerable to the Brokenwire attack.
  • Figure 3: The two different plug layouts used by CCS in North America (Combo 1) and Europe (Combo 2) respectively.
  • Figure 4: Attack illustration. The injected preamble is not distinguishable from background noise. Only applying a correlation function on the captured data revealed the preamble position. Nevertheless, it caused a packet loss of around 80%.
  • Figure 5: An overview of the experimental setup used to evaluate the attack under controlled lab conditions.
  • ...and 10 more figures