The adoption of Electric Vehicles (EVs) is happening at a rapid pace. To ensure fast and safe charging, complex communication is required between the vehicle and the charging station. In the globally used Combined Charging System (CCS), this communication is carried over the HomePlug Green PHY (HPGP) physical layer. However, HPGP is known to suffer from wireless leakage, which may expose this data link to nearby attackers. In this paper, we examine active wireless attacks against CCS, and study the impact they can have. We present the first real-time Software-Defined Radio (SDR) implementation of HPGP, granting unprecedented access to the communications within the charging cables. We analyze the characteristics of 2,750 real-world charging sessions to understand the timing constraints for hijacking. Using novel techniques to increase the attacks' reliability, we design a robust wireless Man-in-the-Middle evaluation framework for CCS. We demonstrate full control over TLS usage and CCS protocol version negotiation, including TLS stripping attacks. We investigate how real devices respond to safety-critical MitM attacks, which modify power delivery information, and found target vehicles to be highly permissive. First, we caused a vehicle to display charging power exceeding 900 kW on the dashboard, while receiving only 40 kW. Second, we remotely overcharged a vehicle, at twice the requested current for 17 seconds before the vehicle triggered the emergency shutdown. Finally, we propose a backwards-compatible, downgrade-proof protocol extension to mitigate the underlying vulnerabilities.

翻译：电动汽车（EV）的普及正在快速推进。为实现快速安全的充电，车辆与充电站之间需要进行复杂的通信。在全球广泛使用的联合充电系统（CCS）中，该通信通过HomePlug Green PHY（HPGP）物理层传输。然而，已知HPGP存在无线信号泄漏问题，可能导致该数据链路暴露给附近的攻击者。本文研究了针对CCS的主动无线攻击，并探讨了其潜在影响。我们首次实现了HPGP的实时软件定义无线电（SDR）系统，从而前所未有地获取了充电电缆内的通信数据。通过分析2,750次实际充电会话的特征，我们明确了劫持攻击的时序约束条件。采用提升攻击可靠性的创新技术，我们为CCS设计了一套鲁棒的无线中间人评估框架。我们展示了对TLS使用和CCS协议版本协商的完全控制能力，包括TLS剥离攻击。通过研究实际设备对篡改供电信息的安全关键型中间人攻击的响应，发现目标车辆具有高度容忍性。首先，我们使车辆仪表盘显示超过900 kW的充电功率，而实际接收功率仅为40 kW。其次，我们实施了远程过充攻击，以两倍于请求电流的强度持续充电17秒，直至车辆触发紧急关机。最后，我们提出了一种向后兼容且能防御协议降级的扩展方案，以缓解底层安全漏洞。