This study addresses the security risks in Combined Charging Systems (CCS) arising from wireless signal leakage in HomePlug Green PHY (HPGP) communications. For the first time, the authors implement real-time software-defined radio (SDR)-based transceivers for the HPGP protocol and construct a wireless man-in-the-middle attack framework capable of hijacking live CCS sessions. Analyzing 2,750 real-world charging sessions, they develop highly reliable attack techniques—including TLS stripping, protocol version negotiation manipulation, and power parameter tampering. In experiments, they successfully spoofed a 900 kW charging demand despite a true capacity of only 40 kW and remotely triggered vehicle overcharging at double the rated current for 17 seconds, forcing an emergency shutdown. To mitigate these vulnerabilities, the authors propose a backward-compatible, downgrade-resistant protocol extension that effectively patches the identified flaws, exposing critical weaknesses in CCS and offering a practical defense mechanism.

The adoption of Electric Vehicles (EVs) is happening at a rapid pace. To ensure fast and safe charging, complex communication is required between the vehicle and the charging station. In the globally used Combined Charging System (CCS), this communication is carried over the HomePlug Green PHY (HPGP) physical layer. However, HPGP is known to suffer from wireless leakage, which may expose this data link to nearby attackers. In this paper, we examine active wireless attacks against CCS, and study the impact they can have. We present the first real-time Software-Defined Radio (SDR) implementation of HPGP, granting unprecedented access to the communications within the charging cables. We analyze the characteristics of 2,750 real-world charging sessions to understand the timing constraints for hijacking. Using novel techniques to increase the attacks'reliability, we design a robust wireless Man-in-the-Middle evaluation framework for CCS. We demonstrate full control over TLS usage and CCS protocol version negotiation, including TLS stripping attacks. We investigate how real devices respond to safety-critical MitM attacks, which modify power delivery information, and found target vehicles to be highly permissive. First, we caused a vehicle to display charging power exceeding 900 kW on the dashboard, while receiving only 40 kW. Second, we remotely overcharged a vehicle, at twice the requested current for 17 seconds before the vehicle triggered the emergency shutdown. Finally, we propose a backwards-compatible, downgrade-proof protocol extension to mitigate the underlying vulnerabilities.