With the UK government’s ban on new petrol and diesel cars looming in 2035, the rollout of public charging infrastructure has become a national priority. But as we rush to install chargers across motorways and city centres, we need to consider if the security is keeping pace with our connectivity.
Cybersecurity is a pillar of operational resilience. A public EV charger isn’t just a plug socket, it’s an internet-connected device, a point-of-sale terminal, and a potential gateway into the national power grid.
For Charge Point Operators (CPOs), the risks are operational and reputational and for the end-user it’s personal. Below, we break down our take on the top 10 cybersecurity risks currently facing the public EV charging ecosystem.
Our Top 10 Breach Risks
1. The “Brokenwire” Effect (Grid Instability)
Perhaps the most feared scenario for nation-states and operators alike is the weaponisation of charging networks. Researchers have already demonstrated attacks (such as 🔗Brokenwire) where hackers can wirelessly interrupt charging sessions en masse.
The Risk: If a threat actor simultaneously starts or stops thousands of high-voltage chargers, the sudden fluctuation in demand could destabilise the local power grid, causing blackouts or damaging transformers.
2. “Quishing” (QR Code Phishing)
A low-tech but highly effective attack targeting the driver. Cybercriminals paste their own malicious QR codes over the legitimate ones on public chargers.
The Risk: Drivers scan the code to pay, unwittingly handing their credit card details to a cloning site. The car doesn’t charge, and the money is stolen.
3. Man-in-the-Middle (MitM) Attacks
Many older charging stations communicate with back-end management systems using outdated or unencrypted protocols (like early versions of OCPP).
The Risk: Hackers intercept the data flowing between the charger and the central network. They can alter pricing, mask the status of the charger, or intercept customer payment tokens in transit.
4. Juice Jacking (Data Siphoning)
While less common than in mobile phones, the risk of data transfer via the charging cable is real. Modern EVs “talk” to the charger (Handshaking) to manage power flow.
The Risk: Compromised charging stations could theoretically attempt to query the vehicle’s internal software, extracting Vehicle Identification Numbers (VINs) or connected phone data, aiding in vehicle theft or identity fraud.
5. Ransomware on CPO Networks
Charge Point Operators are essentially running large IoT (Internet of Things) networks.
The Risk: If a CPO’s back-end network is breached, attackers can deploy ransomware that “bricks” the entire network of chargers, displaying error messages and refusing power until a fee is paid. For a logistics fleet relying on these chargers, this is a business-critical outage.
6. Physical Port Tampering
Public chargers are often unattended in remote areas.
The Risk: Attackers can physically open maintenance ports (USB, Ethernet) on the hardware to inject malware directly into the station’s firmware. This “sleeper” malware can then spread to the central network or to connected cars.
7. API Vulnerabilities
Most EV charging is managed via smartphone apps. These apps rely on APIs (Application Programming Interfaces) to talk to the servers.
The Risk: Poorly secured APIs are a goldmine for hackers. Recent research into popular EV apps revealed flaws that allowed unauthorised users to query the location of other drivers, view their charging history, and even stop their charging sessions remotely.
8. Bypass & Energy Theft
Not all attacks are sophisticated. Some are simply about stealing power.
The Risk: By manipulating the firmware or using cloned RFID cards, bad actors can trick the station into dispensing free electricity. While this seems minor, at scale, it represents significant revenue leakage for operators.
9. Supply Chain Compromise
The hardware and software for chargers often come from different vendors, sometimes with obscure supply chains.
The Risk: If a hardware manufacturer ships a component with a default password (e.g., “admin/1234”) or a backdoor pre-installed, the CPO inherits that vulnerability from day one.
10. GDPR & Privacy Leakage
EV charging generates a wealth of data: where you are, how long you stay, and your payment details.
The Risk: A breach of a CPO’s database isn’t just an operational failure; it’s a GDPR nightmare. Leaking the movement patterns of thousands of users is a severe privacy violation that attracts heavy regulatory fines.
The Impact
It’s easy to get lost in the technical “how” of these attacks, but the “who” is equally important.
- For the Operator: It’s a question of Operational Resilience. Can your business survive if 50% of your network goes offline on a Monday morning? The cost isn’t just lost revenue; it’s the erosion of trust.
- For the User: It’s a safety issue. A stranded driver in a remote location unable to charge their vehicle due to a cyber-glitch is a physical safety risk.
Resilience: Built-In, Not Bolted-On
The EV transition is vital, and the technology is incredible. However, as we build this new infrastructure, we must ensure security is not an afterthought.
At Mondas, we aim to start with the basics when supporting CPOs. This means rigorous stress-testing of hardware before it’s deployed, continuous monitoring of network traffic for anomalies, and ensuring that operational resilience is baked into the business continuity plan.
As we move toward a smarter, greener future, let’s make sure it’s a secure one too.
This article was brought to you by our Sales and Marketing Manager at Mondas, learn more about George on LinkedIn.
Article First Published 03/02/2026
