Breaking the EV Charging Protocol: How V2GEvil Exposes ISO 15118 Vulnerabilities

TLDR: Researchers at DEF CON 2024 unveiled V2GEvil, a new modular framework designed to audit the ISO 15118 standard used in electric vehicle charging. By targeting the parsing of EXI-encoded messages and XML handling, the tool exposes critical vulnerabilities that can lead to message processing failures or remote exploitation. This framework finally provides security researchers with a practical, low-cost way to test the security of EV charging infrastructure.

Electric vehicle charging is no longer just a simple power transfer. It is a complex, networked exchange of digital data between the vehicle and the charging station. As the industry pushes for mass adoption, the ISO 15118 standard has become the backbone of this communication, enabling features like Plug and Charge. However, this added complexity introduces a massive, largely unexamined attack surface. If you are a researcher or pentester, you should be paying attention because the current state of EV charging security is effectively a black box that is ripe for exploitation.

The Mechanics of the V2G Attack Surface

The core of the issue lies in the communication flow between the Electric Vehicle Communication Controller (EVCC) and the Supply Equipment Communication Controller (SECC). This interaction relies on Efficient XML Interchange (EXI), a binary format designed to be compact and efficient for constrained devices. While EXI is great for performance, it is notoriously difficult to parse securely.

When a vehicle plugs into a charger, the two devices perform a handshake to negotiate parameters. This process involves parsing complex XML structures that are often handled by custom or legacy codebases. If an attacker can inject malformed EXI data, they can trigger memory corruption, logic errors, or even XML External Entity (XXE) injection if the underlying parser is not configured correctly. The V2GEvil framework allows researchers to intercept, modify, and replay these messages, effectively turning the charging station into a target for fuzzing.

Technical Deep Dive: Fuzzing the Parser

The V2GEvil tool is built to be modular, which is exactly what the research community needs. It includes a sniffer module for capturing traffic, an enumerator for mapping out supported protocols and cipher suites, and a fuzzer for testing the resilience of the EVCC implementation.

The fuzzer is particularly interesting because it targets the specific parsing logic of the EXI-to-XML conversion. By sending invalid values for parameters within the V2G response messages, researchers can observe how the target device handles unexpected input. A typical fuzzer command looks like this:

# Example of running the fuzzer module against a target
sudo v2gevil fuzzer --config config.json --mode message

The tool leverages the QCA7000 chipset, which is ubiquitous in many EV charging implementations. Because many manufacturers use the same underlying hardware and firmware, a vulnerability found in one implementation often translates to a widespread issue across multiple vendors. By flashing the appropriate firmware, you can turn a cheap development board into a powerful testing device for under 20 Euros, making this research accessible to anyone with a soldering iron and a bit of patience.

Real-World Engagement Scenarios

During a penetration test of an EV charging network, you are not just looking for a single bug. You are looking for the ability to disrupt service or gain unauthorized access to the charging network. If you can successfully fuzz the SECC, you might be able to force a denial-of-service condition, rendering the charger unusable. In a more severe scenario, if the charging station is connected to a backend management system, a successful exploit could potentially lead to lateral movement within the provider's infrastructure.

When you are on-site, focus on the physical connection. The dLAN Green PHY modules are the standard for this communication. By tapping into the Control Pilot (CP) and Protective Earth (PE) pins, you can capture the traffic directly. Use the sniffer module to baseline the normal communication flow and then start injecting your fuzzed payloads. The goal is to identify where the parser fails to handle edge cases, such as oversized payloads or unexpected XML tags.

Defensive Considerations

For the blue team, the primary defense is rigorous input validation. Since the vulnerability often stems from how the EXI data is converted into XML, ensure that your parsers are hardened against common injection attacks. Disable external entity resolution in your XML parsers and implement strict schema validation for all incoming V2G messages. Furthermore, monitor for anomalous traffic patterns on the charging network. A sudden spike in malformed packets or repeated handshake failures is a strong indicator that someone is actively probing your infrastructure.

The release of V2GEvil is a wake-up call for the automotive industry. We are moving toward a future where our vehicles are constantly connected to the grid, and we cannot afford to treat these communication protocols as an afterthought. If you are a researcher, download the V2GEvil repository and start testing. The industry is currently lacking the open-source tools necessary to secure this infrastructure, and it is up to us to fill that gap. Don't wait for a high-profile exploit to make this a priority. Start auditing these systems today, because the ghost in the wires is already there, and it is only a matter of time before someone else finds it.