How to Brick EV Chargers via Power Line Communication

TLDR: Researchers at DEF CON 33 demonstrated that Qualcomm QCA7000/7005 series modems used in EV charging stations are vulnerable to unauthorized Parameter Information Block (PIB) manipulation. By exploiting the lack of authentication in the Power Line Communication (PLC) protocol, an attacker can remotely brick chargers or perform a Denial of Service (DoS) attack via ground-line signal injection. This research highlights a critical failure in securing industrial IoT infrastructure that relies on outdated, unpatched firmware.

Electric vehicle charging infrastructure is rapidly expanding, yet the underlying communication protocols remain stuck in a decade-old security model. The recent research presented at DEF CON 33 regarding the Qualcomm QCA7000 and QCA7005 series modems proves that we are deploying critical infrastructure with the same security assumptions we made for home-grade powerline adapters. If you are performing a red team engagement against a smart city or a commercial fleet depot, these chargers are not just power outlets; they are networked devices with exposed, unauthenticated management interfaces.

The Vulnerability: PIB Manipulation

The core of the issue lies in the Parameter Information Block (PIB), a proprietary binary blob that governs the modem's configuration. These modems, which are ubiquitous in the EV charging industry, do not implement robust access control for these configuration files. Using the open-plc-utils suite, researchers demonstrated that it is possible to read and write to the PIB over the charging cable itself.

The attack flow is straightforward for anyone familiar with embedded device exploitation. By sending a specially crafted management message over the PLC interface, an attacker can overwrite the PIB. Because the modems lack proper signature verification for these configuration updates, the device accepts the malicious blob without question.

The impact is immediate. An attacker can modify the network membership key, effectively isolating the charger from the grid, or simply set the device into an unrecoverable state. This is tracked as CVE-2025-47324. The lack of authentication here is a textbook example of Broken Access Control, where the system assumes that anyone physically connected to the power line is a trusted administrator.

Physical Layer DoS: Poisoning the Ground

Beyond logical attacks on the firmware, the researchers identified a physical-layer vulnerability that is even harder to defend against. Because the charging station and the vehicle share a common ground, an attacker can inject noise directly into the ground line.

PLC communication operates in the 1 MHz to 30 MHz range. By using a simple Software Defined Radio (SDR) or even a basic signal generator, an attacker can flood this frequency range with enough noise to trigger a Denial of Service. The modem's communication protocol relies on a sliding window mechanism; if the noise floor is high enough to corrupt the packets, the window closes, and the charging session terminates.

During the demonstration, the team showed that you do not need to physically tap into the high-voltage lines to achieve this. Connecting an injection device to the ground terminal of the building or even the chassis of the vehicle is sufficient to disrupt the communication between the car and the charger. This is a classic Denial of Service vector that bypasses all logical network security controls.

Arbitrary Code Execution via Custom Firmware

Perhaps the most alarming finding is the ability to execute arbitrary code on the modem. By dumping the flash chip and reverse-engineering the bootloader, the researchers identified that the modem uses an ARM v5t instruction set and loads its firmware from the SPI flash.

The bootloader lacks secure boot mechanisms. By overwriting the SPI flash, an attacker can replace the legitimate firmware with a custom image. The researchers successfully demonstrated this by running a custom version of the classic game DOOM on the modem's processor. While running a game is a proof-of-concept, the implications for a persistent backdoor are severe. Once an attacker has code execution, they can bridge the PLC network to the internal Ethernet management network of the charging station, potentially pivoting into the operator's backend systems.

Defensive Realities

Defending against these attacks is difficult because the hardware is often deployed in public, unmonitored locations. For operators, the immediate priority is to ensure that all charging stations are segmented from the primary corporate network. If a charger is compromised, it should not have a direct path to the billing or management servers.

Furthermore, manufacturers must move away from the "security by obscurity" model. Relying on NDAs to keep technical documentation and firmware formats hidden has clearly failed. The industry needs to adopt Secure SLAC (Signal Level Attenuation Characterization) implementations that enforce strict authentication between the vehicle and the charger.

For those of you conducting assessments, start by checking the firmware versions of the charging controllers you encounter. If you find a device running firmware from 2022 or earlier, it is almost certainly vulnerable to the PIB manipulation techniques discussed here. Do not assume that the presence of a "secure" label on the hardware means the communication protocol is actually hardened. The next time you see an EV charger, look for the ground connection; it might be the most accessible entry point on the entire network.