Researchers Demonstrate Wireless Man-in-the-Middle Attacks on EV Charging Protocols

Global: Researchers Demonstrate Wireless Man-in-the-Middle Attacks on EV Charging Protocols

A team of researchers published a study in January 2026 describing how they used a real‑time software‑defined radio (SDR) to intercept and manipulate communications between electric vehicles and charging stations that rely on the Combined Charging System (CCS). The work, presented on the preprint server arXiv, outlines active wireless attacks that exploit leakage in the HomePlug Green PHY (HPGP) physical layer, a vulnerability that could be leveraged by nearby adversaries.

Background on CCS and HPGP

The CCS standard is widely adopted for fast charging of electric vehicles, and it transmits control data over HPGP, a low‑power Ethernet‑like protocol originally designed for in‑cable communication. Prior analyses have noted that HPGP signals can radiate unintentionally, creating a potential attack surface for wireless eavesdropping and injection.

SDR Implementation and Data Analysis

The authors built the first publicly documented real‑time SDR implementation of HPGP, granting them direct access to the data link inside charging cables. To calibrate timing constraints, they examined 2,750 real‑world charging sessions, extracting patterns that inform the feasibility of hijacking attempts without disrupting normal operation.

Attack Methodology

Using novel signal‑processing techniques to improve reliability, the researchers constructed a robust wireless man‑in‑the‑middle (MitM) framework. The framework allowed them to intercept, modify, and replay messages between the vehicle and the charger, targeting both the TLS layer and the CCS protocol version negotiation.

Demonstrated Impacts

Experimental results showed full control over TLS usage, including successful TLS‑stripping attacks that forced the connection to downgrade to unencrypted communication. Safety‑critical manipulations were also demonstrated: one test caused a vehicle’s dashboard to display a charging power of over 900 kW while the charger supplied only 40 kW, and another scenario remotely overcharged a vehicle to twice the requested current for 17 seconds before the vehicle initiated an emergency shutdown.

Proposed Mitigations

To address the identified weaknesses, the paper proposes a backward‑compatible, downgrade‑proof protocol extension that authenticates HPGP messages and enforces strict timing checks, aiming to prevent unauthorized wireless interference without requiring hardware redesign.

This report is based on information from arXiv, licensed under Academic Preprint / Open Access. Based on the abstract of the research paper. Full text available via ArXiv.