Weak Security in Public EV Chargers Exposes Cities to Attacks

Severity: High (Score: 66.0)

Sources: Theregister

Summary

At the Black Hat Asia conference on April 24, 2026, researcher Hetian Shi revealed significant vulnerabilities in rented IoT infrastructure, particularly public electric vehicle (EV) chargers and shared e-bikes. Shi demonstrated how attackers could exploit weak security measures, including shared authentication keys and inadequate user verification, to disable EV chargers across an entire city. His tool, IDScope, allows for the creation of phantom clients, enabling attackers to charge vehicles or rent scooters without cost. The vulnerabilities were found in apps from both Chinese and European providers, indicating a widespread issue. Shi's findings highlight a critical security gap in IoT services that prioritize user convenience over robust security measures. The potential impact of these vulnerabilities could lead to large-scale denial of service attacks, affecting urban mobility and public services. The demonstration at the conference garnered significant attention, emphasizing the urgent need for improved security protocols in IoT devices. Key Points: • Public EV chargers and shared e-bikes are vulnerable to denial of service attacks. • Researcher Hetian Shi demonstrated how weak security allows attackers to disable chargers. • The tool IDScope can exploit vulnerabilities in both Chinese and European IoT services.

Key Entities

• DDoS (attack_type)
• China (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-287 - Improper Authentication (cwe)
• CWE-798 - Use of Hard-coded Credentials (cwe)
• IOS (platform)
• IDScope (tool)