If your red-team scope still stops at the parking-gate badge reader, congratulations—you are officially behind the times. While you were busy cloning 125 kHz prox cards, the target’s CFO plugged into a “free” Level-2 charger that now knows his VIN, his home address, and whether he watches YouTube while the battery tops off. Today’s mission: show you how to weaponize that exact blind spot with nothing more than open source intelligence, a five-dollar SDR dongle, and the same morbid curiosity that keeps me awake during DEF CON talks.
Why Chargers Are the New Red-Team Candy Store
Modern EV chargers are IoT devices bolted to concrete. They run Linux, expose cellular or Wi-Fi, speak the Open Charge-Point Protocol (OCPP), and almost always phone home to a cloud dashboard that somebody forgot to harden. Compromise the dashboard and you can:
- Push malicious firmware over the air (OCPP “UpdateFirmware”)
- Remotely stop/start sessions to strand a vehicle
- Sniff the ISO-15118 “Plug-and-Charge” handshake to harvest certificates
- Inject fake RFID UIDs to bill charging costs to corporate fleet cards
- Geo-locate exec vehicles in real time—every time they juice up
In other words, you don’t need to pop the infotainment; you simply compromise the wet string the car trusts every night after work. That pivot often ends with a shell on the vehicle’s modem, but the attack chain starts in public data that is hilariously easy to find.
If you need a refresher on how to turn public data into weaponized intel, our OSINT for Social Engineering: Red Team Playbook walks through the recon-to-exploit cycle step-by-step.
Step 1: Map the Attack Surface with OSINT
I break the recon phase into three buckets: geo, vendor, and owner. Each gives you pivot points that plug straight into Kindi’s graph and keep you from manually eye-balling 10,000 charge pins on PlugShare.
Geo Harvest
Use Overpass Turbo to dump every amenity=charging_station inside a 50 km radius of HQ. Export as GeoJSON, feed into Kindi, and auto-enrich with Shodan hits on port 8080 or 9000. Anything that answers HTTP and returns “ocpp” in the header goes into the hot list. Typical yield: 200+ chargers, 12 with web console exposed, 3 using default creds “admin/admin”. Welcome to 2026.
Vendor Fingerprints
Charger vendors love to brag. Search LinkedIn posts for “Excited to join ChargePoint” or “New deployment of ABB Terra 184s.” Each post leaks the corporate customer, the installer, and often a photo of the serial plate. Feed that serial into the vendor’s public API; many concatenate serial with MAC address in predictable ways, giving you the exact 24-bit OUI to target when you rock up with Wi-Fi Pineapple in monitor mode.
Owner Footprints
Most commercial chargers operate under an LLC created specifically for tax rebates. Query the state business registry for names containing “EV,” “Green,” or “Charge.” Once you have the holding company, pivot to property tax records to obtain the exact parcel ID. Now you know where the CCTV cameras point and whether the lot is shared with a Starbucks—perfect for loitering with a Raspberry Pi in a coffee cup.
| Data Source | Typical Leak | Red-Team Win |
|---|---|---|
| PlugShare reviews | Usernames & timestamps | Driver schedule |
| Shodan “open charge” tag | HTTP 200 on port 80 | Firmware upload |
| FCC ID photos | Internal PCB shots | JTAG pin-out |
| Google Street View | QR code on housing | Direct admin URL |
Need a primer on chaining public sources into a single timeline? Our friends in uniform do the same dance when they use OSINT to boost threat intelligence and battlefield awareness.
Step 2: Weaponize OCPP without Reading 400 Pages of Spec
OCPP is basically HTTP with JSON and a sprinkle of TLS that nobody enables. Four messages matter:
- BootNotification – charger boots, sends vendor / model / serial. Spoof this to register a rogue charger under the same cloud account.
- Authorize – RFID card checked against back-end. Replay a captured UID: you bill your charging to the CEO’s fleet account.
- RemoteStartTransaction – start a session. Combine with geofence to strand the vehicle once SOC hits 100 %.
- UpdateFirmware – signed URL from the vendor. Replace firmware.bin with a Meterpreter-ized build and pivot into the car.
Proof-of-concept: at a recent Fortune 100 engagement we found the vendor’s firmware signing key embedded in a public GitHub repo (because of course). One curl -X POST later, we had 42 chargers phoning home to our C2. Total time: 90 minutes. Blue team never knew until we sent them a photo of the CFO’s Tesla on the projector.
Step 3: From Charger to Car—Pivoting into the Vehicle
Modern EVs trust the charger for more than electrons. ISO-15118 “Plug-and-Charge” exchanges TLS certificates to authenticate billing. Steal the charger’s cert, clone it onto a rogue DC fast charger in the hotel parking lot, and you become a trusted energy provider. The car happily negotiates a TLS session, exposing its own private key if the cipher suite is weak. Once you have that, you can:
- Remotely unlock doors via the OEM API (many reuse the same cert)
- Track GPS every time the vehicle charges
- Push over-the-air updates that the car thinks are signed by the OEM
And yes, we validated this on a 2025 German luxury EV. The automaker asked us not to name them until the fix lands—so I won’t, but rhymes with “Porsche.”
Defensive Takeaways for the Blue Team
If you are on the defending side, start with these low-hanging controls:
- Inventory every charger your employees use (yes, even the free ones at the mall)
- Demand mutual TLS on OCPP 2.0.1 and rotate keys quarterly
- Monitor firmware hashes with a canary file that screams if the binary changes
- Mandate VPN or cellular whitelisting—no charger should reach the Internet on port 80
- Run a quarterly red-team exercise that includes “EV charger red-team hijack” in the rules of engagement
Blue teams drowning in SOC alerts can offload some pain by integrating OSINT to prioritize alerts and unmask real threats in SOC environments.
Automating the Drag with Kindi
Manually pivoting through 1,000 chargers is a one-way ticket to carpal tunnel. Instead, I feed every discovered serial, MAC, and OCPP endpoint into Kindi. The platform auto-enriches with breach data, leaked firmware, and even GitHub commits that reference the same charger model. Within minutes I have a live graph showing which chargers share firmware signing keys, which ones expose HTTP, and which corporate email addresses appear in associated breach dumps. That visual alone usually convinces the CISO to fund the remediation before lunch.
Wrap-Up
Red teams love novel attack surfaces, and EV chargers are the juiciest bypass since printer trays. The whole kill chain—from finding the target to owning the ride—can be executed with open source intelligence, a bit of RF trickery, and a healthy disrespect for vendor claims. If your rules of engagement still ignore the parking lot, update them. If you’re defending, start treating chargers like the Linux servers they are—because the bad guys already do.
Want to strengthen your OSINT skills? Check out our OSINT courses for hands-on training.
And explore Kindi, our AI-driven OSINT platform built for speed and precision.
FAQ
Q1: Is it illegal to scan EV chargers?
A: Scanning publicly reachable IPs is generally legal, but always verify your local laws and client agreements.
Q2: Do I need special hardware to sniff OCPP?
A: A cheap RTL-SDR or Wi-Fi dongle in monitor mode is enough for most RF or IP traffic.
Q3: Which charger vendors are the worst offenders?
A: Based on public disclosure stats, smaller OEMs shipping OCPP 1.6 with HTTP default fare worst, but always verify yourself.
Q4: Can this attack scale to an entire fleet?
A: Yes. Once you own the central management server, every enrolled charger and connected vehicle is at risk.
Q5: Does OCPP 2.0 fix the issues?
A: It adds TLS and signed firmware, but only if both sides enable it—rare in real-world deployments today.