EVExchange: A Relay Attack on Electric Vehicle Charging System

TL;DR

This paper introduces EVExchange, a relay attack on electric vehicle charging systems using ISO 15118, demonstrating how attackers can steal energy and profit, and proposes a lightweight countermeasure to prevent such attacks.

Contribution

The paper presents the first relay attack on V2G communication in EV charging, along with a practical countermeasure based on distance bounding to enhance security.

Findings

The attack successfully steals energy during charging sessions.

The proposed countermeasure detects all relay attack attempts.

The countermeasure is lightweight and transparent to users.

Abstract

To support the increasing spread of Electric Vehicles (EVs), Charging Stations (CSs) are being installed worldwide. The new generation of CSs employs the Vehicle-To-Grid (V2G) paradigm by implementing novel standards such as the ISO 15118. This standard enables high-level communication between the vehicle and the charging column, helps manage the charge smartly, and simplifies the payment phase. This novel charging paradigm, which connects the Smart Grid to external networks (e.g., EVs and CSs), has not been thoroughly examined yet. Therefore, it may lead to dangerous vulnerability surfaces and new research challenges. In this paper, we present EVExchange, the first attack to steal energy during a charging session in a V2G communication: i.e., charging the attacker's car while letting the victim pay for it. Furthermore, if reverse charging flow is enabled, the attacker can even sell the energy available on the victim's car! Thus, getting the economic profit of this selling, and leaving the victim with a completely discharged battery. We developed a virtual and a physical testbed in which we validate the attack and prove its effectiveness in stealing the energy. To prevent the attack, we propose a lightweight modification of the ISO 15118 protocol to include a distance bounding algorithm. Finally, we validated the countermeasure on our testbeds. Our results show that the proposed countermeasure can identify all the relay attack attempts while being transparent to the user.