DCeption: Real-world Wireless Man-in-the-Middle Attacks Against CCS EV Charging

TL;DR

This paper uncovers real-world wireless man-in-the-middle attacks on CCS EV charging systems using SDR, demonstrating vulnerabilities that can lead to overcharging and safety risks, and proposes a protocol extension to mitigate these issues.

Contribution

It presents the first real-time SDR implementation of HPGP, analyzes real charging sessions, and develops a robust MitM framework for CCS, revealing critical security flaws and mitigation strategies.

Findings

Successfully hijacked charging sessions and manipulated power delivery.

Demonstrated overcharging and safety-critical protocol modifications.

Identified high permissiveness of target vehicles to MitM attacks.

Abstract

The adoption of Electric Vehicles (EVs) is happening at a rapid pace. To ensure fast and safe charging, complex communication is required between the vehicle and the charging station. In the globally used Combined Charging System (CCS), this communication is carried over the HomePlug Green PHY (HPGP) physical layer. However, HPGP is known to suffer from wireless leakage, which may expose this data link to nearby attackers. In this paper, we examine active wireless attacks against CCS, and study the impact they can have. We present the first real-time Software-Defined Radio (SDR) implementation of HPGP, granting unprecedented access to the communications within the charging cables. We analyze the characteristics of 2,750 real-world charging sessions to understand the timing constraints for hijacking. Using novel techniques to increase the attacks' reliability, we design a robust wireless Man-in-the-Middle evaluation framework for CCS. We demonstrate full control over TLS usage and CCS protocol version negotiation, including TLS stripping attacks. We investigate how real devices respond to safety-critical MitM attacks, which modify power delivery information, and found target vehicles to be highly permissive. First, we caused a vehicle to display charging power exceeding 900 kW on the dashboard, while receiving only 40 kW. Second, we remotely overcharged a vehicle, at twice the requested current for 17 seconds before the vehicle triggered the emergency shutdown. Finally, we propose a backwards-compatible, downgrade-proof protocol extension to mitigate the underlying vulnerabilities.