During a Black Hat Asia demonstration, Hetian Shi accessed a Chinese EV charging provider’s app, selected a charger in Shanghai, copied its ID into a script, and caused the charger’s status icon to change from green to gray, indicating a disabled port.

The vulnerabilities include accessible debugging interfaces and UART connectors, shared authentication keys in firmware, and backend services with weak user authentication, enabling manipulation of devices and resources.

Vendors acknowledged the findings and researchers aided mitigations; recommended defenses include stronger device identity, robust backend authorization, unique per-device credentials, locked-down debug ports, and improved abuse detection.

Shi's tests across 11 European bike and scooter apps found similar flaws, suggesting the issue is not China-specific and may be widespread across rentable IoT devices.

Researchers demonstrated that flaws in rentable IoT devices used for public EV charging, bikes, and scooters could enable attackers to disable ports or impersonate legitimate users, potentially shutting down citywide charging networks.

A related USENIX Security 2024 study by Tsinghua researchers analyzed 17 rentable IoT devices and 92 apps, identifying 57 vulnerabilities in 28 products, with 24 flaws capable of large-scale exploitation.

Weak resource IDs allow attackers to infer device or user identifiers and combine them with access-control bugs to scale exploits, threatening millions of users and devices when large numbers of chargers are affected.

Public chargers are high-risk because they integrate payments, cellular connectivity, cloud management, and grid-facing infrastructure, meaning widespread outages would undermine public confidence in EV adoption.