Your EV Charger Is a 47-Meter Security Disaster: The Brokenwire Wake-Up Call

Right, pull up a chair and buckle in, because we need to have a conversation about the EV charging clusterfuck that's been hiding in plain sight while the automotive industry has been busy sniffing its own exhaust fumes and congratulating itself on saving the bloody planet.

If you're at an EV charging hub right now, listen very carefully: that charging cable you're fondling is a 47-meter antenna broadcasting your vulnerability to any tosser with £200 worth of kit from eBay and the technical sophistication of a particularly motivated teenager.

Oxford researchers just confirmed what should have every electric vehicle owner, fleet operator, and critical service provider in the UK absolutely shitting themselves. The "Brokenwire" attack can kill your charging session wirelessly, and it's not some sophisticated nation-state cyber weapon requiring years of development and millions in funding. It's a fundamental design cockup so monumentally stupid it makes Brexit look like a well-planned strategic decision.

The attack is built into the bloody standards that govern 12 million electric vehicles worldwide. Not a bug. Not an oversight. A FEATURE.

The worst part? We've known about this catastrophic balls-up since 2019, and the industry's response has been to stick their fingers in their ears, hum "God Save the King," and pretend the problem will disappear if they ignore it hard enough.

The Attack That Makes a Complete Mockery of Modern Engineering

Here's how completely, catastrophically fucked our EV charging infrastructure is: Oxford University researchers, working with Swiss federal agency Armasuisse, demonstrated they can wirelessly interrupt the charging of any electric vehicle using the Combined Charging System (CCS) from up to 47 meters away using equipment that costs less than the average Londoner spends on overpriced coffee in a month.

The charging cable doesn't just "act like" an antenna. It IS a bloody antenna. Not metaphorically. Not "sort of like" an antenna. It's a massive, unshielded, completely unprotected electromagnetic receiver just sitting there in public car parks, begging to be exploited by anyone with a basic understanding of radio frequency and the moral compass of a car park ticket inspector.

Sebastian Köhler and his team proved you can:

• Force charging sessions to abort instantly (like pulling the plug, but wireless)

• Attack individual vehicles or entire fleets simultaneously (mass disruption)

• Operate wirelessly from a safe distance (no need to get your hands dirty)

• Use off-the-shelf radio equipment with minimal technical knowledge (YouTube University level)

• Target from 47 meters away with just 1 watt of power (less power than a bloody phone charger)

The attack exploits the HomePlug Green PHY power-line communication technology that CCS uses for the "essential" communication between your car and the charger. Every time your £60,000 Tesla and the charging station have their little digital chat about battery state, maximum current, or charging progress, they're using a protocol called CSMA/CA that's designed to prevent communication collisions.

The problem? It's like having a polite conversation in a library where everyone whispers and waits their turn, except any dickhead with a megaphone can show up and scream nonsense until everyone gives up and goes home.

It's not sophisticated. It's not clever. It's the digital equivalent of jamming a phone conversation by shouting "LA LA LA" over it, except the "conversation" controls whether your car actually charges or sits there like an expensive paperweight.

12 Million Vehicles, One Spectacular Design Disaster

This isn't some corner-case vulnerability affecting a few dodgy charging stations behind abandoned Tesco car parks. The Brokenwire attack affects every single electric vehicle using the Combined Charging System, which is the dominant DC fast charging standard in Europe and North America. Every. Single. One.

The scope is absolutely staggering and completely terrifying:

• 12 million battery EVs currently on roads worldwide (sitting ducks, all of them)

• Every CCS-compatible charging station (most public DC fast chargers)

• Heavy-duty electric trucks, buses, and even electric ships (critical infrastructure)

• Emergency vehicles: ambulances, fire trucks, police cars (people die when these don't charge)

• Fleet vehicles for logistics, delivery, and emergency services (economic chaos)

The researchers tested their attack against seven different vehicle models and 18 different charging stations in real-world conditions. It worked every bloody time. Not sometimes. Not "mostly." EVERY TIME.

BMW, Mercedes, Volkswagen, Tesla (on CCS), Ford, GM: if your electric vehicle uses CCS charging, you're vulnerable. Period. Full stop. End of discussion. It doesn't matter which manufacturer built your car or your charger. It doesn't matter how much you paid. It doesn't matter how "premium" your brand is. The flaw is baked into the communication standards themselves like raisins in a Christmas cake: HomePlug Green PHY, DIN 70121, and ISO 15118.

You could buy the most expensive, most secure, most cutting-edge electric vehicle on the market today, and a 19-year-old with a software-defined radio and a grudge could still disable your charging from the car park across the street.

The Timeline of Spectacular Institutional Incompetence

2019: Initial research identifies vulnerabilities in EV charging communication (WARNING SHOT FIRED) 2022: Oxford researchers publish Brokenwire attack details, responsibly disclose to manufacturers (SECOND WARNING) 2023: Comprehensive research presented at Network and Distributed System Security Symposium (THIRD BLOODY WARNING) 2024: South Korean researchers confirm the attack and propose partial mitigations (FOURTH WARNING, WITH KOREAN EFFICIENCY) 2025: You're still completely fucked, and the industry's official advice is "don't use DC fast charging" (INDUSTRY THROWS IN TOWEL)

Six years. SIX BLOODY YEARS since the fundamental vulnerability was identified, and what's the industry's masterful solution? Don't use the primary feature that makes electric vehicles practical for anything longer than a trip to the corner shop.

That's like discovering that airbags can be disabled remotely by teenagers with pocket money and telling people to "just drive more carefully and maybe avoid motorways." It's not a solution: it's institutional negligence dressed up as risk management and served with a side of complete denial.

The automotive industry has had more time to fix this than it took to develop the bloody internet, and their response has been to shrug, mumble something about "ongoing research," and hope that consumers are too stupid to understand what "your charging cable is an antenna" actually means.

Real-World Impact: When "Inconvenience" Becomes "Body Count"

Let's be brutally fucking clear about what "disrupted charging" means in practice, because the automotive press keeps treating this like a mild inconvenience rather than a critical infrastructure failure that could literally kill people.

For individual drivers: Your £60,000 electric status symbol shows "charging error," you disconnect and reconnect like you're trying to fix a dodgy Wi-Fi connection, and hopefully, the attacker has gotten bored and moved on to something more entertaining. Annoying but manageable, unless you're running low on battery in an unfamiliar area with limited charging options, in which case you're properly screwed.

For emergency services: An electric ambulance that can't charge is a mobile coffin. Electric fire trucks that can't charge might as well be very expensive garden ornaments while buildings burn. Electric police vehicles that can't charge can't respond to emergencies, meaning criminals get a free pass and citizens suffer. The researchers specifically noted that "interrupting the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences." LIFE-THREATENING. As in people die.

For commercial fleets: Logistics companies that invested millions in electric delivery trucks suddenly find their entire operation can be shut down by some basement-dwelling script kiddie with a grudge against Amazon and £200 worth of radio equipment. The attack can target individual vehicles or entire fleets simultaneously, meaning one attacker can paralyze hundreds of vehicles at once.

For energy grid stability: Mass charging disruption doesn't just affect transportation; it cascades into the energy infrastructure like dominoes falling. Indian researchers demonstrated this scenario in real-world microgrids, proving the attack can destabilize local power networks and cause frequency excursions that affect entire communities.

This isn't theoretical. This isn't academic. This is "people die and infrastructure fails" level serious, and the industry's response has been to stick their heads in the sand like a bunch of ostriches who've been hit with stupid sticks.

The Engineering Hubris That Created This Absolute Shitshow

The Brokenwire vulnerability exists because the EV charging industry made the same catastrophic mistake that every "move fast and break things" technology sector makes: they prioritized getting products to market over not killing people, and they treated security like an optional extra you can bolt on later, like heated seats or a premium sound system.

Power-line communication (PLC) technology was never, EVER designed for security-critical applications where people's lives depend on it working. It was developed for industrial automation and smart grid applications where physical security was assumed and the worst-case scenario was a factory machine stopping, not an ambulance being unable to respond to a heart attack.

Dropping PLC into EV charging, where cables are physically accessible to any tosser with bad intentions and electromagnetic interference is trivial to generate, was always going to be a security disaster. It's like using tissue paper for body armor and being surprised when bullets go through it.

The CSMA/CA protocol that enables the attack isn't a bug, it isn't an oversight, it isn't something that can be patched: it's a required feature of the HomePlug Green PHY standard. This means every single compliant implementation is vulnerable by design. You can't patch your way out of a standards-level architectural flaw any more than you can patch gravity.

The charging cable becoming an antenna isn't an unexpected side effect: it's basic fucking physics that any first-year engineering student should understand. Any conductor can act as an antenna under the right conditions. The fact that the industry built critical infrastructure communication around unshielded cables without considering electromagnetic interference shows the kind of stunning incompetence that should result in engineering licenses being revoked and executives being banned from making decisions that affect public safety.

VicOne's analysis noted: "The root cause of this attack lies in the combination of the current charging protocol and systems." Translation: We built this entire infrastructure wrong from the ground up, and now we're all fucked.

The Mitigation Theatre: Solutions That Would Make a Comedy Writer Weep

The proposed "solutions" to Brokenwire are such spectacular examples of security theatre that they should be framed and hung in museums as warnings about what happens when industries prioritize public relations over public safety.

"Use shielded cables": Retrofitting millions of charging stations with proper electromagnetic shielding would cost billions, require years of infrastructure replacement, and involve admitting that the current design is fundamentally flawed. The researchers politely noted this approach has "limited scalability" and makes it "unattractive." Translation: It's financially impossible and the industry would rather pretend the problem doesn't exist than spend money fixing it.

"Detect unusual interference patterns": Charging stations could theoretically monitor for attack signatures and maybe, possibly, perhaps detect when someone is attacking them. This requires firmware updates across millions of deployed systems (good luck with that), assumes attackers won't adapt their techniques (spoiler: they will), and provides absolutely no protection during the actual attack. It's like installing a smoke detector after your house has already burned down and calling it fire prevention.

"Automatic reconnection": Some galaxy-brain engineers propose that charging sessions should automatically restart after interruption. This doesn't prevent the attack, it doesn't stop the attack, it doesn't mitigate the attack: it just creates a potentially dangerous loop of connect/disconnect cycles while the attacker sits there laughing and pressing the "attack" button repeatedly like they're playing some demented mobile game.

"Move to different frequencies": The fundamental protocol architecture remains vulnerable regardless of frequency. This is like suggesting we solve knife attacks by making knives in different colors while keeping the sharp pointy bits exactly the same.

The industry's current official recommendation? "Right now, the only way to prevent the attack is not to charge on a DC rapid charger."

Let me repeat that for those in the back: DON'T USE THE INFRASTRUCTURE THAT MAKES ELECTRIC VEHICLES PRACTICAL.

Problem solved, everyone! We've eliminated EV charging vulnerabilities by eliminating EV charging! Genius! It's like curing cancer by shooting the patient: technically effective, but missing the fucking point entirely.

What This Means for UK Businesses

If your organisation has invested in electric vehicles or is planning the transition to EVs, the Brokenwire vulnerability represents a fundamental operational risk that nobody in the automotive industry wants to discuss honestly.

Fleet operators managing electric delivery vehicles, service trucks, or company cars need to understand that your entire operational capability can be disrupted by someone with basic technical skills and equipment costing less than a laptop.

Critical service providers using electric emergency vehicles are betting lives on infrastructure that can be disabled wirelessly from nearly 50 meters away. When the ambulance can't charge, people die. When the fire truck can't charge, buildings burn. When police vehicles can't charge, public safety suffers.

Logistics companies transitioning to electric commercial vehicles are creating single points of failure that malicious actors can exploit to disrupt supply chains, damage business reputation, and create massive operational costs.

The insurance implications alone should terrify any risk manager. How do you explain to your insurer that your electric fleet was disabled by electromagnetic interference? What's your business continuity plan when attackers can wirelessly prevent your vehicles from charging?

The Broader Security Ecosystem Collapse

Brokenwire isn't just about EV charging; it's a symptom of the systematic security failure across the Internet of Things and critical infrastructure more broadly.

We're connecting everything without securing anything. Smart cities, connected vehicles, industrial control systems: they're all being deployed with the same "move fast and break things" mentality that created the Brokenwire vulnerability.

The charging cable becoming an antenna is just one example of how physical-world systems become attack vectors when we rush to add connectivity without considering security implications. Every IoT device, every connected system, every "smart" upgrade is potentially creating new attack surfaces that we don't understand and can't secure.

The EV charging industry had six years to fix this problem. Six years of responsible disclosure, academic research, industry conferences, and regulatory awareness. The result? The vulnerability remains unfixed, and the official recommendation is to avoid using the infrastructure.

What does this say about our ability to secure critical infrastructure as we become increasingly dependent on connected systems?

The Path Forward (If Anyone Cares)

Here's what actually needs to happen, though I'm not holding my breath waiting for the industry to grow a spine:

1. Standards Overhaul: HomePlug Green PHY, DIN 70121, and ISO 15118 need fundamental security reviews and architectural changes. The current standards are security disasters by design.

2. Mandatory Electromagnetic Shielding: New charging infrastructure should require proper shielding for communication cables. Yes, it's expensive. Yes, it's slower to deploy. So is rebuilding your reputation after critical infrastructure fails.

3. Alternative Communication Protocols: The industry needs to move away from PLC-based communication to dedicated secure channels that don't turn charging cables into antennas.

4. Regulatory Enforcement: Governments need to stop treating automotive cybersecurity as a voluntary best practice and start mandating security standards with real penalties for non-compliance.

5. Transparent Vulnerability Disclosure: The industry's current approach of hiding security problems while pretending they don't exist needs to end. Public safety requires public awareness of public risks.

The Uncomfortable Truth That Nobody Wants to Hear

Electric vehicles are the future, but the current charging infrastructure is a security disaster so catastrophic that it makes the Titanic look like a minor navigational oversight.

The Brokenwire attack represents everything that's wrong with how we approach cybersecurity in critical infrastructure: rush products to market first, think about not killing people later, hope nobody notices the fundamental design flaws, and when someone does notice, stick your fingers in your ears and pretend really hard that the problem will magically disappear.

I'm not anti-EV. I drive electric, I support the transition away from fossil fuels, and I understand the environmental necessity of electrification. But I absolutely refuse to pretend that good intentions excuse inexcusably dangerous engineering, and I won't participate in the industry-wide delusion that environmental benefits justify putting people's lives at risk.

The fact that 12 million electric vehicles worldwide can have their charging disabled wirelessly by attackers using equipment that costs less than a night out in London is not an acceptable state of affairs for critical infrastructure. It's professional negligence on a scale that should result in criminal charges, prison sentences, and industry executives being banned from making decisions that affect public safety.

The fact that we've known about this for six years and the industry's solution is "don't use DC fast charging" is corporate manslaughter disguised as customer advisory notices.

When your electric ambulance can't charge and someone dies while waiting for help, remember that the automotive industry knew this was possible, had six years to fix it, and chose quarterly profits over preventing deaths.

When your business fleet gets disabled by electromagnetic interference from some dickhead with a radio and your operations grind to a halt, remember that this was an entirely preventable disaster that the industry chose to ignore because fixing it would cost money and admitting the problem exists would damage share prices.

The charging cable being a 47-meter antenna isn't a bug, it isn't an oversight, it isn't something that will be fixed in the next software update: it's the inevitable result of an industry that treats security as an afterthought, treats customer safety as someone else's problem, and hopes that good marketing will somehow overcome fundamentally dangerous engineering.

Pull up a chair and strap in, because this is just the beginning. As we become more dependent on connected infrastructure designed by people who couldn't secure a cardboard box with a padlock, we're going to discover that safety was optional in every single system we now consider critical to modern life.

Your move, automotive industry. Fix this properly, admit you fucked up spectacularly, fire the executives responsible for this disaster, and start treating customer safety like it actually matters, or just admit publicly that you care more about quarterly profits than preventing deaths and let the market decide whether people want to buy potentially lethal products from companies that can't be bothered to implement basic safety measures.

Either way, stop lying to consumers about the safety of infrastructure that can be disabled by teenagers with pocket money and basic electronics knowledge.