Why Your Next EV Charging Station Pentest Needs to Include ISO 15118

TLDR: The rapid rollout of electric vehicle charging infrastructure is creating a massive, interconnected attack surface that most security teams are ignoring. By failing to secure the communication protocols like ISO 15118 and the underlying supply chain, we are building a future where a single vulnerability could disrupt the power grid. Pentesters need to pivot from simple web application testing to analyzing the complex, state-machine-driven communication stacks that bridge the gap between vehicles, chargers, and utility providers.

The transition to electric vehicles is not just a mechanical shift from internal combustion to battery power. It is a massive, poorly secured digitization of the power grid. While everyone is focused on the latest cloud misconfigurations or zero-day exploits in enterprise software, the physical world is being wired up with insecure, interconnected systems that have never been hardened for a hostile network environment. We are currently witnessing a generational investment in infrastructure that is being deployed at a pace that leaves security as an afterthought.

The Anatomy of an EV Charging Vulnerability

Most security researchers look at an EV charging station and see a web interface or a mobile app. That is the noise. The signal is in the communication between the vehicle and the charger, specifically the ISO 15118 protocol. This protocol governs the "Plug and Charge" experience, allowing the car to identify itself, negotiate power, and handle billing automatically.

Mechanically, this is a complex state machine. If you are a pentester, you need to stop looking at the UI and start looking at the state machine transitions. If you can manipulate the handshake or inject malformed packets into the communication stream, you are not just breaking a billing feature. You are potentially gaining control over the power delivery mechanism.

The industry is currently relying on a mix of proprietary and open-source stacks, such as the Everest project, to handle these communications. While open-source is a step in the right direction for transparency, it also provides a roadmap for attackers. If you are auditing these systems, you should be using tools like ICSnpp to parse and analyze the industrial protocols that these chargers speak.

Why the Supply Chain is the Real Target

The most significant risk in this ecosystem is not a single bug in a single charger. It is the supply chain. Many of these charging station manufacturers are small, specialized companies that lack the resources to maintain a dedicated security team. They are building systems with 30 employees, yet they are responsible for critical infrastructure.

When you perform a penetration test on these devices, you will likely find that the firmware is a patchwork of third-party libraries, many of which have not been updated in years. This is a classic T1195 Supply Chain Compromise scenario. If an attacker can compromise a sub-component manufacturer, they can push malicious updates to thousands of charging stations simultaneously.

During an engagement, focus on the update mechanism. How does the charger verify the integrity of its firmware? If you can intercept the update traffic, can you perform a man-in-the-middle attack to push a custom payload? Most of these devices lack the robust secure boot processes that we take for granted in modern mobile devices.

Moving Beyond Web App Testing

If you are a bug bounty hunter, the EV charging space is a goldmine that is currently being ignored. Most programs are focused on the web portals that manage these stations, but the real impact is in the physical-to-digital interface.

When you are testing these systems, look for:

• Insecure Communication: Are the protocols encrypted? If not, can you sniff the traffic and extract sensitive data like user identifiers or billing tokens?
• State Machine Manipulation: Can you force the charger into an error state that requires a manual reset or, worse, allows for unauthorized power draw?
• Credential Stuffing and API Abuse: Many of these chargers rely on backend APIs that are poorly protected. Use your standard tools, but apply them to the specific protocols used in the energy sector.

The OWASP IoT Top 10 is your best friend here. Specifically, focus on "Insecure Ecosystem Interfaces" and "Lack of Secure Update Mechanism." These are not theoretical risks. They are the primary vectors that will be used to target the grid in the coming years.

What Defenders Need to Do

Blue teams need to stop treating these chargers as isolated appliances. They are nodes on a network that is directly connected to the grid. You need to implement strict network segmentation. A charging station should never have a direct path to your internal corporate network.

Furthermore, you need to demand transparency from your vendors. Ask them about their PKI implementation. If they cannot explain how they manage the certificates that secure the communication between the vehicle and the charger, they are not ready for deployment.

The future of our energy infrastructure depends on our ability to secure these systems before they become the primary target for state-sponsored actors. We have a once-in-a-generation opportunity to build this right, but that requires us to stop ignoring the technical reality of the hardware and protocols that are being deployed today. Start digging into the communication stacks, audit the firmware, and hold the vendors accountable. The grid is waiting.