CybersecurityTransportationClimateTechEnergy

Black Hat USA 2025 | Smart Charging, Smarter Hackers: The Unseen Risks of ISO 15118

Black Hat
Black HatMar 25, 2026

Why It Matters

ISO 15118 could be the linchpin for a resilient, decarbonized grid, but unchecked charger vulnerabilities risk large‑scale outages and data breaches, threatening both energy security and consumer trust.

Key Takeaways

  • ISO 15118 enables smart‑charging and V2G to stabilize grids
  • Plug‑and‑Charge replaces RFID with PKI‑based digital certificates
  • Centralizing billing with EMSPs improves policy enforcement, raises breach scope
  • Charging stations remain out‑of‑scope, exposing physical and firmware risks
  • Missing time‑sync and enforcement lets compromised stations bypass security

Summary

The Black Hat USA 2025 talk examined ISO 15118, the emerging standard that underpins smart‑charging and vehicle‑to‑grid (V2G) communication for electric vehicles. By allowing chargers to modulate demand and feed power back to the grid, the protocol promises to alleviate grid strain and absorb renewable surpluses, a need highlighted by the 2025 Spain blackout that left millions without power.

Garolo outlined how ISO 15118 mitigates legacy threats: digital certificates stored in the vehicle replace RFID cards, authenticating sessions via TLS and shifting payment handling to a centralized e‑mobility service provider (EMSP). This reduces unauthorized charging and creates a unified security policy layer, though a breach at the EMSP could expose data for millions of users.

The speaker warned that the standard’s focus on the vehicle‑to‑charger link leaves the charger itself vulnerable. Audits reveal many stations run on off‑the‑shelf hardware with open debug ports, making them ripe for physical tampering, firmware replacement, denial‑of‑service attacks, and unsafe power delivery. Moreover, ISO 15118 lacks a trusted time‑source sync, allowing a compromised charger to accept expired or revoked certificates.

The takeaway for industry stakeholders is clear: adopting ISO 15118 is necessary but not sufficient. Manufacturers must harden charger hardware, enforce firmware integrity, and implement robust time‑synchronization. Regulators and OEMs should expand certification to cover the full cyber‑physical ecosystem, ensuring the promised grid benefits do not introduce new attack surfaces.

Original Description

The rise of electric vehicles (EVs) is reshaping global mobility, paving the way for a cleaner, more sustainable future. But this shift is not without challenges. By 2040, more than 600 million EVs are expected to be on the roads, placing enormous pressure on our electricity grids. This could lead to instability and disruptions in the electricity supply, particularly during peak demand.
To address this challenge, the International Organization for Standardization released 15118 - a standard that introduces technologies like smart charging and Vehicle-to-Grid communication. These innovations not only help reduce the pressure on the grid, but also promise to enhance the user experience of charging an EV, making it more intuitive and, more importantly, secure. That said, while resolving several critical cybersecurity issues, the standard also introduces new risks.
This session will explore how ISO 15118 reshapes the threat landscape of EV charging. We will examine the cybersecurity implications of the standard, looking at the risks it mitigates, shifts, and creates. In fact, while ISO 15118 offers substantial improvements, we argue that the standard is not sufficient to fully secure the EV charging ecosystem. Using ISO 15118 as an example, we will demonstrate how standards and policies - even those that explicitly target cybersecurity - can inadvertently introduce new attack vectors, making them a double-edged sword.
By:
Salvatore Gariuolo | Senior Threat Researcher, Trend Micro Inc.
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...