Real-world impersonation and discharge attacks on electric vehicle charging systems.
With about $180 of off-the-shelf hardware, we steal charging billed to a victim, and drain an EV's battery until it won't start — demonstrated on production cars and live public charging networks.
The attacks
DIN 70121 — the protocol behind most DC fast charging — has no encryption and no authentication. Everything is plaintext, and the systems built on it trust the message over physical reality.
Autocharge bills a car automatically by its EVCCID — which is just the plaintext PLC MAC address. We harvest it in under 10 seconds, then replay it to charge anywhere, billed to the victim.
During PreCharge, the charger reports a voltage the car's BMS should verify before closing contactors. Our rogue charger simply claims the right voltage — the pins are at 0 V — and a vulnerable BMS connects the battery to our load.
EVSEPresentVoltage in PreChargeResKey findings
Forced discharge — comparative results
| Vehicle | Vulnerable? | Discharge (est.) | Driver alert |
|---|---|---|---|
| Tesla Model Y | No — HW voltage sensor | — | — |
| Luxgen n7 | Yes | 60 min / ~1.25 kWh | None |
| CMC (unpublished) | Yes | ~2 min / ~0.05 kWh | None |
| Hyundai IONIQ 6 | Yes | ~26 min / ~0.5 kWh | None |
Energy is estimated from the load bank's rated power and discharge duration — protocol-reported, not externally metered. Tesla refused to close contactors and logged "External voltage verification failed."
How it works
The root cause is architectural: a safety- or billing-critical decision is gated on a message instead of a physical measurement.
Demos
Short clips of the live attacks. Videos drop in automatically once added to docs/media/ — see that folder's README.
A spoofed EVCCID authorizes a real charging session in 3.2 s, billed to the victim.
A rogue EVSE forces a production EV to discharge its battery into a resistive load.
FAQ
The novelty is the real-world result: it's the first end-to-end demonstration against live commercial Autocharge networks, with a single device (no two-station relay, no victim presence) — and the finding that all seven networks we tested have no fraud detection, so a statically harvested identifier is a repeatable, untraceable credential.
It fixes A1 — PKI binds identity cryptographically, so replay fails. It does not inherently fix A2: if the BMS still trusts an authenticated PreCharge message over its own sensors, the battery still closes contactors. Crypto does not substitute for a physical measurement.
We deliberately chose architectural diversity (BMS from Tesla in-house, Hyundai Mobis, and Delta Electronics) over sample size. It's an architectural insight, not a prevalence estimate — and a concurrent independent study (DrainDead) found the same flaw across a separate European fleet.
No damage. We used only our own pre-registered accounts (self-paid, 1.25 kWh), tested on private property with our own or manufacturer-provided vehicles, with state-of-charge interlocks, emergency disconnect, and continuous monitoring. The work was IRB-approved and responsibly disclosed before publication.
All electrical values are protocol-reported, and energy is estimated from the load bank's rated power and the discharge duration — we state this explicitly and never claim externally metered values. The vulnerability is the contactor closing and current flowing; the exact wattage is secondary.
Paper, code & team