Press release: Research unveils 17 new zero-days in EV Chargers

In our most recent research into the security of EV chargers, 17 new vulnerabilities (zero days) were discovered in chargers manufactured by iocharger. These vulnerabilities were present in all AC-models of iocharger. The research was conducted by external researcher Wilco van Beijnum and DIVD researcher Harm van den Brink.

The identified vulnerabilities could have allowed cybercriminals to take control of all chargers from this manufacturer, potentially destabilizing the energy grid. Sixteen of the 17 vulnerabilities have now been resolved and disclosed in close collaboration with the manufacturer.

The researchers found vulnerabilities in the iocharger Home and Pedestal models. However, the same vulnerable firmware is also present in all other AC-models of iocharger, including models sold under different brand names. Unfortunately, the researchers were unable to determine which other brands are affected.

Cyber Resilience Act: more security, but also more responsibility

The European Cyber Resilience Act requires manufacturers to provide security updates and maintenance instructions throughout the lifecycle of their products. The responsibility for applying these updates, which address vulnerabilities, lies with the end user.

Many end users are unaware of potential vulnerabilities or the importance of security updates. Additionally, they often lack access to their device to check the software version, apply updates, or verify whether updates have been correctly installed. As a result, they are dependent on their supplier, leaving systems vulnerable to cybercriminals.

This issue also affects iocharger users. It is difficult for them to verify whether their charger is running the correct software version, as iocharger does not publicly communicate firmware updates (e.g., on a website) but shares them exclusively with distributors.

While end users are responsible for maintaining the security of their devices, they are entirely dependent on intermediaries between themselves and the manufacturer. Without direct communication, users remain unaware of potential risks, and vulnerabilities may go unresolved. This highlights how fragile and complex the current system is for passing on critical information, allowing important security updates to easily fall through the cracks.

Quote from Frank Breedijk, Case Lead & responsible for manufacturer communication

“This is actually a very odd situation,” says Frank Breedijk, who served as case lead and handled communication with the manufacturer. “My smartphone notifies me when there’s an update, and for most software I can check the manufacturer’s website to see if a critical update is available. When products contain critical flaws that require me, as a consumer, to visit a store or dealer, recall actions are organized. However, for products like solar inverters or EV chargers, we seem to accept that the manufacturer quietly fixes the problem in the background (or doesn’t) or leaves fixes to a service organization. Consumers have no way of knowing whether such fixes are needed.
Maintenance companies in these industries go bankrupt, get acquired, switch products, or simply cease to exist, but the installations they leave behind remain in use. Moreover, there’s a dire shortage of qualified personnel in these sectors. I find it unacceptable that manufacturers are allowed to be so opaque about such essential maintenance.”

Our previous research in the energy sector
  • In 2024, DIVD researchers Hidde Smit and Wietse Boonstra identified six zero-day vulnerabilities in Enphase inverters, gaining full access to millions of solar panels.
  • In 2022, researcher Jelle Ursem discovered the super admin account credentials for SolarMan inverters, potentially allowing the sabotage of over a million devices.

In all of these cases, cybercriminals could disrupt and destabilize the energy grid**.**

The energy transition

During the energy transition, our energy system is becoming increasingly reliant on small energy sources (like solar panels) and large consumers (like heat pumps and electric vehicles). While individual devices have limited impact, large-scale manipulation by malicious actors could make the combined impact greater than that of Europe’s largest power plant. This increases the system’s vulnerability to disruptions and public unrest.

About DIVD

We are committed to researching and identifying vulnerabilities in devices connected to the energy grid. When we identify vulnerable systems, we notify their owners or administrators. Additionally, we contribute to raising awareness in the energy sector by publishing reports and sharing knowledge about the importance of cybersecurity and timely updates. Together, we aim to make the digital world a safer place.