Charge It to My Neighbor: A Relay Attack on ISO 15118 Plug and Charge Payment

TL;DR

This paper reveals a novel relay attack on ISO 15118's plug-and-charge payment system, exploiting cryptographic and certificate handling weaknesses, demonstrated through a proof-of-concept, highlighting urgent security concerns.

Contribution

The paper introduces a new relay attack method against ISO 15118's payment mechanism, showing vulnerabilities and proposing mitigations for secure EV charging.

Findings

Successful relay attack demonstrated with proof-of-concept

Vulnerabilities due to lack of station-identifying info in signatures

Weaknesses in TLS certificate handling in ISO 15118

Abstract

ISO 15118, the leading standard for DC fast charging in Europe, includes a plug-and-charge mechanism that allows electric vehicles to handle payment automatically via contract certificates. We present a novel relay attack against this mechanism: an attacker builds a fake charging station, plugs it into a victim's vehicle, and relays the cryptographic authentication to a real charging station - charging the attacker's vehicle while billing the victim. The attack exploits the absence of station-identifying information in the plug-and-charge signature, combined with weaknesses in how ISO 15118 handles TLS certificates. We provide a proof-of-concept implementation demonstrating the full attack chain and discuss possible mitigations and alternatives. As plug-and-charge adoption grows, addressing this vulnerability is critical before it becomes widely exploitable.