One Modem to Brick Them All: Unmasking Fatal Flaws in EV Charging Infrastructure

As the world transitions to electric vehicles, the security of the underlying charging infrastructure becomes a matter of national importance. In a groundbreaking DEF CON 33 presentation, researchers Jan Berens and Marcell Szakaly revealed that the foundation of modern EV charging—Power-Line Communication (PLC)—is built on a house of cards. By targeting the near-ubiquitous Qualcomm QCA 7000 modem series, they demonstrated how attackers can remotely disable chargers, sniff private communication from a distance, and even achieve remote code execution on the hardware itself.

The Achilles' Heel of EV Charging: PLC

Most modern DC fast-charging standards, including CCS (Combined Charging System) and Tesla's NACS (North American Charging Standard), rely on the HomePlug Green PHY protocol for communication. This protocol uses Power-Line Communication to send Ethernet packets over the same wires that deliver power. While convenient, this technology was originally designed for home networking, not for critical industrial infrastructure.

The researchers discovered that almost every EV and charger on the market uses the same silicon: the QCA 7000 or QCA 7005. This monoculture means that a single vulnerability can impact nearly the entire global fleet of EVs. Furthermore, their field study of 397 chargers showed that most are running firmware that hasn't been updated in over a decade, leaving them vulnerable to attacks that have been public knowledge for years.

Technical Deep Dive: The Pibbuster Attack

At the core of the modem's configuration is the Parameter Information Block (PIB). This binary blob contains critical settings like MAC addresses and network keys. Using the Open PLC Utils suite, the researchers discovered a vulnerability they dubbed 'Pibbuster.'

Understanding the Vulnerability

The QCA chips support management messages that allow a host to update the PIB. Because the EV and the charger form a 'HomePlug' network, they treat each other as trusted members of the same local network. The researchers found that they could send a pibwrite command across the charging cable to overwrite the configuration of the charger (from the car side) or the car (from the charger side).

Bypassing the Security Bit

While some modems have a security bit at offset 1f8c designed to block remote writes, the researchers found a fatal flaw in the implementation. By sending a standard reset command, the chip often falls back to a hidden factory configuration that lacks this protection.

Steps to exploit:

1. Establish a PLC link using a rogue EV emulator (like a Raspberry Pi with a QCA 7000 dev board).
2. Attempt to read the victim's PIB using pibread.
3. If blocked, issue a reset command to the remote modem.
4. Re-attempt the pibwrite with a malicious PIB that disables the host interface or changes the Network Membership Key (NMK).
5. The device is now effectively 'bricked' until it is manually reflashed or power-cycled.

Signal Leakage: The Ground Attack

One of the most startling revelations was the 'Ground Attack.' Because PLC signals operate at high frequencies (1-30 MHz), they generate an electromagnetic field that 'leaks' into the common ground (PE) wire. Since the car and the charger share a common ground during the session, an attacker does not even need to touch the data lines.

By connecting a rogue modem to any nearby ground source—such as a building's ground terminal or even the screws of the vehicle's wheel—an attacker can inject noise to cause a Denial of Service (DoS). This 'sliding window' protocol is easily disrupted by flooding the communication window with junk data. Because the attacker is hidden on the ground line, the source of the interference is almost impossible to find with traditional network monitoring tools.

Achieving Code Execution: Running Doom on a Modem

The researchers didn't stop at configuration overrides. They successfully dumped the modem's SPI flash and reversed the bootloader. Although the firmware was thought to be encrypted, it turned out to be compressed using LZMA. After decompressing the ARM v5 machine code, they were able to identify memory-mapped I/O registers for the SPI and Ethernet peripherals.

To prove they had full control over the chip, they achieved the ultimate hacker milestone: running Doom. By creating custom C headers for the QCA hardware, they compiled a version of the game that runs on the modem, sending video frames over UDP to a remote terminal. This demonstrates that an attacker could theoretically replace the modem firmware with a malicious version that acts as a persistent backdoor within the charging station.

Mitigation and Defense

Defending against these attacks is notoriously difficult due to the hardware-level flaws in PLC. The researchers recommend several strategies:

• Firmware Updates: Manufacturers must implement robust over-the-air (OTA) update mechanisms to patch modems, though many existing chargers lack this capability.
• Shielding: Using shielded cables and ferrite cores can reduce signal leakage, though it cannot eliminate the 'ground attack' entirely.
• Network Segmentation: Treating the PLC modem as an untrusted edge device and strictly isolating it from the rest of the charger's internal network.
• Transitioning Standards: The long-term recommendation is to move away from PLC for critical infrastructure in favor of more secure, modern communication protocols.

Conclusion

The research by Berens and Szakaly serves as a wake-up call for the automotive industry. The current reliance on aging, insecure PLC technology puts the availability and safety of EV charging networks at risk. As we continue to build out our charging infrastructure, security must be integrated at the hardware level, rather than being treated as an afterthought hidden behind NDAs and obscurity.