Weak security means attackers could disable all of a city’s public EV chargers

April 24, 2026 TH Author

Black Hat Asia Developers of rented internet of things infrastructure – stuff like public EV chargers and shared e-bikes – are prioritizing user convenience over security, and leaving themselves exposed to wide-scale denial of service attacks on their services.

That frightening thesis was the subject of a Friday talk at the Black Hat Asia conference, delivered by Hetian Shi, a hardware and IoT security researcher at China’s Tsinghua University.

Shi told the conference the very nature of rented IoT services means they have a unique security problem: Anyone can access devices and examine them for vulnerabilities. The researcher conducted his probes with permission, and disclosed the results ethically – for which we should all be thankful because he discovered that some rentable devices include either a debugging port or a UART connector that makes examining their operations an uncomplicated task for an educated attacker.

His own efforts yielded evidence of shared authentication keys in device firmware, and backend services that don’t properly authenticate users.

The researcher also investigated the apps that rentable IoT providers publish so consumers can access their services and again found weak security that allowed him to do things like create phantom clients that rentable IoT services could not distinguish from actual customers. Using phantom clients makes it possible for an attacker to charge cars or rent scooters at zero cost.

Shi said the techniques he’s developed can also compromise personal information by exposing rentable IoT services’ back ends.

He’s created a tool called “IDScope” that makes it possible to exploit many of the flaws he found and during his talk demonstrated it by running the iOS app for a Chinese provider of public electric vehicle charging stations.

Shi asked the audience to nominate a Chinese city – Shanghai was the popular choice – and then looked up available chargers in People’s Square, a major shopping and recreation district. The app produced a list of chargers and which ones were available to use.

Shi asked the audience to choose which of the available chargers he should attack, noted the ID number for that charger listed in the app, entered that number into a script. A second or two later, the icon in the app for that charger changed color from green – which denotes availability for charging – to the grey hue that indicates a disabled port.

The app was in Chinese and your correspondent can’t read that language so I can’t say with certainty what I witnessed, but the demo drew spontaneous applause from others in the audience – and plenty of people here at Black Hat have come from the Chinese-speaking world.

Shi thinks the techniques he created also make it possible to deny service, and do so at scale – creating the possibility of taking out an entire city’s network of EV chargers.

And not just in China: The researcher tested 11 apps published by European providers of shared bikes and scooters, and found similar problems – suggesting his findings will be applicable elsewhere.

He theorized that the flaws he found are the result of developers trying to build services that users find convenient, at the expense of security. ®