How to Brick EV Chargers via Power Line Communication

TLDR: Researchers at DEF CON 2025 demonstrated that the Power Line Communication (PLC) protocol used in EV charging stations lacks basic authentication, allowing attackers to manipulate device configurations. By exploiting an undocumented security bit in the Parameter Information Block (PIB), an attacker can trigger a permanent Denial of Service (DoS) or execute arbitrary code on the communication chip. This research highlights a critical failure in securing industrial IoT infrastructure that relies on legacy, unauthenticated communication standards.

Electric vehicle charging infrastructure is rapidly becoming the backbone of modern transportation, yet the underlying communication protocols remain stuck in a decade-old mindset. The recent research presented at the Car Hacking Village reveals that the ISO 15118 standard, while robust on paper, is often implemented on top of insecure, legacy hardware that assumes a trusted environment. When you plug your car into a public charger, you are essentially establishing a network connection with a device that may be running firmware from 2013, completely unpatched and vulnerable to trivial manipulation.

The Anatomy of the PLC Attack

At the heart of this vulnerability is the Qualcomm QCA 7000 series modem, a chip found in a vast majority of EV charging stations. These modems use Power Line Communication to negotiate charging parameters between the vehicle and the station. The researchers discovered that the communication between these devices is effectively an unauthenticated, broadcast-style network.

The configuration of these modems is stored in a Parameter Information Block (PIB). This binary blob contains critical settings, including the MAC address and the network membership key. Because the protocol lacks any form of cryptographic signing or secure boot verification for these configuration files, an attacker can simply read or write to the PIB from the host system.

The researchers developed a tool, open-plc-utils, to interact with these modules. By sending a specially crafted Ethernet packet, an attacker can force the modem to dump its PIB. Once the PIB is retrieved, it can be modified and flashed back to the device. The most dangerous finding was an undocumented security bit at offset 0x1F8C. When this bit is set to 1, it blocks read and write access to the PIB, effectively locking the configuration. However, because the default state is 0 and most manufacturers fail to set this bit during production, the vast majority of chargers in the wild are wide open.

Exploiting the PIB

The attack flow is straightforward for anyone with physical access to the charging cable. By using a simple induction coil or even a direct wire connection to the ground pin of the charging connector, an attacker can inject traffic into the PLC network.

# Reading the PIB from a target modem
pictool -i eth0 -p target.pib local

# Modifying the PIB to set the security bit or brick the device
ghex target.pib
# Manually flip the bit at 0x1F8C

# Writing the malicious PIB back to the target
pictool -i eth0 -p modified.pib flash

Once the modified PIB is flashed, the attacker can trigger a device reset. If the PIB is malformed, the modem will fail to initialize, rendering the charging station completely unresponsive. This is not just a temporary glitch; it is a permanent bricking of the communication module, requiring physical replacement of the hardware to restore service. This vulnerability is tracked as CVE-2025-47324.

Real-World Impact and Testing

For a penetration tester, this research changes the threat model for EV charging stations. You no longer need to compromise the backend server or the station's main application processor to cause a DoS. You only need access to the charging cable. During an engagement, you should treat the PLC interface as an untrusted network segment. If you can sniff the traffic, you can likely extract the network key and join the communication loop, allowing you to intercept or manipulate the charging session.

The lack of authentication means that any device on the power line can spoof the identity of the charger or the vehicle. This could be used to bypass payment systems or, more maliciously, to send incorrect charging parameters that could potentially damage the vehicle's battery management system.

Securing the Infrastructure

Defending against this is difficult because the vulnerability is baked into the hardware and the legacy protocol implementation. Manufacturers must move away from the "security by obscurity" approach. The first step is to ensure that the security bit in the PIB is set during the manufacturing process, preventing unauthorized configuration changes.

However, this is a stopgap. The industry needs to transition to more robust communication standards that mandate mutual authentication and encrypted transport layers. Relying on HomePlug Green PHY for critical infrastructure is a design choice that prioritizes interoperability over security, and it is a choice that is now demonstrably failing.

If you are auditing these systems, start by checking the firmware versions of the PLC modems. If you find devices running firmware older than 2021, they are almost certainly vulnerable to this configuration manipulation. Do not assume that the network is isolated; the physical nature of the charging cable makes it a persistent, accessible entry point for anyone with the right tools and a bit of patience. The era of treating charging stations as simple appliances is over. They are complex, networked computers, and they need to be defended with the same rigor as any other critical network node.