Abusing Domestic EV Chargers through Bluetooth and USB
As the adoption of electric vehicles (EVs) continues to rise, registering a +25% increase worldwide in 2024 alone, the security of electric car charging infrastructure becomes increasingly critical. This growth introduces new challenges for both the automotive and cybersecurity industries, as it creates new attack surfaces that not only expose the chargers themselves but also the EVs through the communication protocol over the connector and the infrastructure supporting them, such as internal local area networks (LAN) and Wi-Fi networks. Notably, the introduction of new features, such as home charger sharing, which allows users to advertise and share their domestic EV chargers publicly, exacerbates these risks, potentially exposing vulnerable devices to external attackers. These attackers could exploit such vulnerabilities to steal electricity, infiltrate domestic networks (LAN/Wi-Fi), or even create a botnet of compromised chargers.
In this talk, we will present the results of our research on the Autel MaxiCharger, a charging station used for both business and domestic purposes, which was one of the targets of Pwn2Own Automotive 2025.
We will describe how we obtained the firmware by reversing the Firmware-Over-The-Air (FOTA) update functionality in the Android mobile app, which was packed using the SecNeo packer, and subsequently breaking the custom cipher encrypting the firmware, using different cryptanalysis techniques.
Finally we will present our findings, that consist of two distinct exploits both leading to arbitrary code execution: the first one chaining two vulnerabilities in the Bluetooth Low Energy (BLE) stack, the other using a single vulnerability in USB.
We will also discuss the post-exploitation impact of these attacks, demonstrating how to achieve persistence even across firmware updates or factory resets and how to use a compromised charging station as a new attack vector to infect electric vehicles through the charging protocol.
