Weak Security Means Attackers Could Disable All of a City's Public EV Chargers

The rapid rollout of shared‑mobility hardware—public electric‑vehicle chargers, dockless scooters and e‑bikes—has outpaced security best practices. Providers prioritize seamless onboarding and low‑cost maintenance, often deploying devices with hard‑coded credentials and unsecured debugging interfaces. At Black Hat Asia, Tsinghua researcher Hetian Shi highlighted how these shortcuts create a single point of failure: an attacker who discovers a shared key or UART port can gain full control over a device’s firmware and network functions. The demonstration on a Shanghai charging station illustrated that a simple script can flip a charger’s status from available to disabled in under two seconds.

Shi’s open‑source tool, IDScope, automates the exploitation of these flaws across multiple vendors. By reverse‑engineering mobile apps, the tool can generate phantom client identities that bypass authentication, allowing free rides or unauthorized charging sessions. The researcher’s tests covered eleven European bike‑share applications, confirming that the vulnerability pattern is not confined to China. The ability to mass‑disable chargers threatens municipal infrastructure, potentially crippling electric‑vehicle adoption in cities that rely on public charging to meet climate goals.

For operators and city planners, the takeaway is clear: security must be baked into IoT product design, not retrofitted. Implementing per‑device certificates, disabling unused debug ports, and enforcing robust API authentication can mitigate large‑scale attacks. Regulators may soon mandate security certifications for rentable mobility assets, mirroring emerging EU cybersecurity directives. As the EV market expands, safeguarding the underlying charging network will be essential to maintain public trust and protect municipal revenue streams.