DCeption: Real-world Wireless Man-in-the-Middle Attacks Against CCS EV Charging
Marcell Szakály, Martin Strohmeier, Ivan Martinovic, Sebastian Köhler
TL;DR
This work addresses the critical risk of wireless access to the CCS charging protocol used by most EVs. It presents a real-time SDR implementation of HomePlug Green PHY, enabling end-to-end MitM on actual devices, and analyzes 2,750 charging sessions to quantify timing constraints for hijacking. The authors demonstrate TLS downgrades, protocol-version manipulation, and power-delivery tampering, including overcharge and reporting-discrepancy attacks, across multiple charger and vehicle brands. They also propose a downgrade-resistant countermeasure leveraging a parallel signaling channel to securely disseminate NMK, aiming for backward compatibility. The findings expose practical vulnerabilities in CCS and underscore the need for hardware- and standard-level mitigations to protect safety-critical power delivery and payments in EV charging infrastructures.
Abstract
The adoption of Electric Vehicles (EVs) is happening at a rapid pace. To ensure fast and safe charging, complex communication is required between the vehicle and the charging station. In the globally used Combined Charging System (CCS), this communication is carried over the HomePlug Green PHY (HPGP) physical layer. However, HPGP is known to suffer from wireless leakage, which may expose this data link to nearby attackers. In this paper, we examine active wireless attacks against CCS, and study the impact they can have. We present the first real-time Software-Defined Radio (SDR) implementation of HPGP, granting unprecedented access to the communications within the charging cables. We analyze the characteristics of 2,750 real-world charging sessions to understand the timing constraints for hijacking. Using novel techniques to increase the attacks' reliability, we design a robust wireless Man-in-the-Middle evaluation framework for CCS. We demonstrate full control over TLS usage and CCS protocol version negotiation, including TLS stripping attacks. We investigate how real devices respond to safety-critical MitM attacks, which modify power delivery information, and found target vehicles to be highly permissive. First, we caused a vehicle to display charging power exceeding 900 kW on the dashboard, while receiving only 40 kW. Second, we remotely overcharged a vehicle, at twice the requested current for 17 seconds before the vehicle triggered the emergency shutdown. Finally, we propose a backwards-compatible, downgrade-proof protocol extension to mitigate the underlying vulnerabilities.
