Headline
CVE-2022-0878: Brokenwire Attack
Electric Vehicle (EV) commonly utilises the Combined Charging System (CCS) for DC rapid charging. To exchange important messages such as the State of Charge (SoC) with the Electric Vehicle Supply Equipment (EVSE) CCS uses a high-bandwidth IP link provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously. In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it. In addition to electric cars, Brokenwire affects electric ships, airplanes and heavy duty vehicles utilising these standards.
Brokenwire is a novel attack against the Combined Charging System (CCS), one of the most widely used DC rapid charging technologies for electric vehicles (EVs). The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort. The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously. In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge. With a power budget of 1 W, the attack is successful from around 47 m distance. The exploited behavior is a required part of the HomePlug Green PHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.
Brokenwire has immediate implications for many of the 12 million battery EVs estimated to be on the roads worldwide — and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and for crucial public services. In addition to electric cars, Brokenwire affects electric ships, airplanes and heavy duty vehicles. As such, we conducted a disclosure to industry and discuss a range of mitigation techniques that could be deployed to limit the impact.
Please note that due to the responsible disclosure a detailed explanation of the attack cannot be provided. This allows the manufacturers to work on a solution while reducing the risk of an exploitation of the vulnerability in the wild.
Download
You can download a preprint of the paper on ArXiv.
Cite us
You want to cite our work? Great! Here you can find the bib-file.
GitHub
Our evaluation source code will be available on GitHub soon. Make sure to check it out!
Get in touch
If you have any questions, feel free to reach out to us.
PGP Key
Background
The charging technology standardized as the Combined Charging System (CCS) — the name presented to a vehicle user — is in fact a collection of multiple technical standards. During the charging session, the Electric Vehicle (EV) and the Electric Vehicle Supply Equipment (EVSE) exchange important messages, such as the State of Charge (SoC) or the maximum possible current. The high-bandwidth IP link used for the communication is provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. Depending on the geographical region, CCS uses different plug types which are illustrated in Figure 1. Nevertheless, the underlying technology is the same.
(a) CCS Combo 1 (US).
(b) CCS Combo 2 (EU).
Attack Details****Some parts have been removed to allow manufacturers to work on countermeasures to ensure that the vulnerability is not exploited in the wild.****Method
We evaluated the attack in a lab environment under controlled settings for different distances between the charging cable and the attacker. Our testbed was composed of the same HPGP modems found in most EVs and charging stations. On the attacker side, we used a software-defined radio (LimeSDR) together with a 1 W RF amplifier and a self-made dipole antenna. In addition, we tested the attack in a real-world study on seven vehicles from different manufacturers and 18 DC high-power chargers.
Results
Figure 2 illustrates the results of our lab experiments. Our results indicate that off-the-shelf equipment is sufficient to execute the attack from up to 10 m away. With a power budget of 10 mW the attack was possible from 10 m away.
(a) Results in dBm.
(b) Results in mW.
Attack Demonstration
(a) Charger 1.
(b) Charger 2.
Questions & Answers
While it may only be an inconvenience for individuals, interrupting the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.
Potentially! If your car has a charging port that looks like the one depicted in Figure 1, it is highly likely that the attack also works on your car.
Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won’t be affected. This might change in the future though, with home chargers getting ISO 15118 support.
We’ve never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn’t any.
Right now, the only way to prevent the attack is not to charge on a DC rapid charger.
It depends on the situation. Brokenwire does not require physical access and can disrupt the charging of multiple cars at once from several meters away, making it a stealthy and scalable attack.
Contributors
Sebastian Köhler†
University of Oxford
Richard Baker†
University of Oxford
Martin Strohmeier
Armasuisse S+T
Ivan Martinovic
University of Oxford
†Both authors contributed equally to this research.
Ethical Considerations
Given the nature of the infrastructure under investigation, we collaborated with several government entities for our evaluation. We further took precautions to limit any risk of unintentional effects from our testing. We selected only test sites for which no other charging parks were within a reasonable range. We only executed the attack when no other vehicles were charging and could immediately abort the experiments if the conditions became uncontrolled. Outside our closed laboratory sites, we were limited to a maximum output power of 1 W to ensure our attack signal was compliant with all national transmission regulations.
Acknowledgements
We are grateful for the support from Armasuisse and EWZ (Elektrizitätswerk der Stadt Zürich).