New security flaw could permanently disable electric vehicle chargers, researchers warn

A team of researchers has unveiled PIBuster, a novel vulnerability affecting electric vehicle (EV) charging stations. The attack exploits Qualcomm HomePlug GreenPHY (HPGP) modems, ubiquitous in Combined Charging System (CCS) infrastructure, and can render charging units permanently inoperable by manipulating a hidden configuration file.

The findings raise serious concerns for governments and operators racing to expand EV networks across the United States and Europe. Researchers stated, “With the increasing reliance on the availability of EV charging infrastructure, its security has become critical, and many governments are already classifying charging stations as national critical infrastructure.” What they found is a “single configuration byte” is responsible for taking stations down indefinitely.

A Single Byte, And a Permanent Shutdown

At the core of the vulnerability lies the Parameter Information Block (PIB), a proprietary configuration file used in every Qualcomm HPGP modem. The PIB stores settings including MAC address, encryption keys, and control flags. Crucially, its contents can be remotely rewritten, a feature intended for network configuration.

The researchers discovered that a single byte at offset 0x1F8C determines whether a charging station accepts remote read/write commands. When configured incorrectly, stations allow unauthorised overwrites of their PIB. The team “confirmed that changing only this field of vulnerable PIBs prevents the attack, and changing it on the Vector PIB enables it.”

In real-world terms, a hostile attacker with physical access to a charging cable could corrupt the PIB to disable the station permanently. The system would then require hardware replacement, not a software update. The authors warn that certain modifications can “leave the chip unable to perform the initial PLC handshake needed for EV charging,” and that recovery options are limited, in some cases the easiest solution is “to replace the entire PLC module.”

41 of 69 Real-World Chargers Were Vulnerable

To test how widespread the issue is, the team collected PIBs from public CCS charging stations in California. Using a laboratory testbed designed to avoid harming real infrastructure, they evaluated each PIB against the discovered exploit.

Of 69 charging connectors sampled, 41 allowed remote reads of their PIBs. Every one of those 41 also accepted remote writes in testing. The paper notes that the hardware and software used to prototype the attack were simple: they used “a Raspberry Pi... [an] evaluation board” and a basic signaling circuit in their experiments.

Notably, vehicles themselves may be impacted. The researchers examined a PIB from a single EV and found it vulnerable. They warn that widespread vehicle exposure could give attackers access to mobile targets, not just stationary chargers.

A Testbed That Reproduces Real-World Chargers Safely

Due to the risk of harming public charging stations, the researchers designed a controlled testing environment. They used identical PLC modems, flashed various PIBs onto one device, and attempted remote overwrites from another, isolating PIB behaviour while holding firmware and hardware constant. As the paper states, their experiments “confirmed our hypothesis that the PIB contains a setting that determines the attack success.”

The secure behaviour observed in one commercial charger, the Vector vSECC.single, provided a contrast. Its PIB blocked all remote reads and writes. The team obtained the Vector PIB and used it in their testbed, confirming that changing only the critical byte fully toggled security on or off: by binary-searching PIB bytes they “revealed that the byte at PIB offset 0x1F8C is responsible for our observations.”

A Low-Tech Threat With High Impact

Because attackers only require physical access to the charging plug, and basic technical knowledge, the researchers classify the vulnerability as a “low-cost, high-impact” threat. The paper describes feasible attacker actions, including the ability to:

• corrupt essential configuration fields,

• disable SLAC,

• modify MAC addresses or encryption keys, and

• write persistent changes that survive reboots and, in some cases, require hardware replacement.

The authors explicitly note that one high-impact result is that the PLC modem “entirely and persistently disconnects from the host,” and that recovery may require replacing the PLC module.

Why This Happened

The researchers emphasise this is a misconfiguration, not a code bug. They write: “Our results highlight two key points… First, our attack is simply due to a misconfiguration, not due to a bug in the code.” They add that a permissive default contributed to the deployment of insecure devices, observing that “the issue instead is that a configuration with potential major security impact was left insecure by default.”

PIB remote write access was likely intended for legitimate management, like onboarding modems or updating network credentials. But in EV infrastructure, that convenience becomes a security flaw. As the paper summarises: “Based on our experience building the PIB collector, we found that it is entirely possible to implement parts of the CCS protocol with only access to public information.” Their dataset suggests many vendors used the insecure default PIB.

Vehicles and Home Networks May Also Be At Risk

The vulnerability is not exclusive to public charging stations. Many consumer HomePlug devices share the same architecture. However, household networks typically require authenticated access, providing additional barriers.

Still, the authors caution broader exposure: they note that while their evaluation focused on chargers, “vehicles also contain the same HPGP modems,” and that obtaining and analysing more vehicle PIBs would be useful future work.

What Comes Next

The researchers recommend manufacturers:

• audit PIB configurations,

• disable remote read/write functionality where unnecessary,

• adopt secure defaults rather than permissive ones, and

• issue updates or recalls where necessary.

They also note Qualcomm’s response: “Qualcomm has treated the issue very seriously, and has acknowledged it as a vulnerability in their product. To address this, future firmware versions will default to the secure mode, regardless of the configuration option.”

Finally, they summarise the broader lesson for the security community: “Second, research has frequently shown that security through obscurity does not work.”