As electric vehicles (EVs) accelerate into the mainstream, the infrastructure supporting them, especially public charging stations, has grown rapidly. But while EV chargers are a convenience for drivers, they’re also becoming a new attack surface for hackers.
A new form of cyberattack is emerging: malware delivered via public EV charging stations. This tactic blends physical proximity with digital intrusion, allowing cybercriminals to target your car, your phone, and your personal data right while you’re fueling up for the road ahead.
Let’s explore how this threat works, why it’s on the rise, a real-world case study, and practical steps to protect yourself and your vehicle.
Why EV Charging Is Becoming a Threat Vector
Electric vehicles rely on high-tech systems for everything from battery management to GPS, infotainment, and diagnostics. When you plug your car or smartphone into a public EV charging station, especially one that supports USB data transfer, Wi-Fi sync, or app integration you’re essentially establishing a digital handshake with a third-party device.
If that charger has been compromised, you’re potentially handing over:
- Your device’s file system
- Your GPS location
- Your connected accounts (Google, Apple, etc.)
- And in the worst-case scenario, the car’s onboard systems
Public EV chargers, especially those in parking lots, malls, or free-use stations, often lack cybersecurity oversight. They’re designed for convenience, not resilience. And cybercriminals know this.
How the Attack Works: “Juice Jacking” 2.0
The term “juice jacking” originally referred to attackers using USB charging stations to install malware or steal data from connected smartphones.
But now, that concept has evolved.
Welcome to Juice Jacking 2.0 the EV version. Here’s how the attack unfolds:
Step 1: Compromising the Station
Hackers either physically tamper with the charger or infect its backend software remotely:
- They plant malware in the charger’s firmware or operating system.
- Sometimes, they use supply chain vulnerabilities, embedding malicious code before the device is even installed.
Step 2: Connection Initiated
When a user plugs in:
- A USB or data interface silently syncs with the user’s smartphone or EV system.
- If the port allows two-way communication, the malware executes its payload.
Step 3: Exploitation Begins
Depending on the sophistication of the attack, malware can:
- Infect the car’s infotainment or GPS systems
- Access driving history, contact lists, and synced accounts
- Track movement, harvest personal schedules, or even initiate remote commands
Some versions may stay dormant until triggered remotely, a technique often used in state-sponsored cyber surveillance.
Real-World Scenario: Los Angeles EV Charger Hack
In early 2025, several EV chargers in a busy Los Angeles shopping mall were discovered to be maliciously modified. Here’s what happened:
- Chargers offered USB ports for mobile device charging, along with an app for loyalty points.
- Hackers embedded malware into both the charger firmware and the app backend.
- When drivers plugged in their cars or phones, the malware executed:
- It accessed GPS logs from the car’s system.
- It syncs with Google Calendar or iCloud from connected smartphones.
- Sensitive contacts and email metadata were quietly uploaded to a remote server.
- It accessed GPS logs from the car’s system.
The attackers used this information to plan phishing attacks, location-based scams, and even physical break-ins when the car owner was known to be out of town.
No vehicles were damaged directly, but over 300 users reported suspicious account activity within days.
Why This Threat Is Getting Smarter
Thanks to AI-generated payloads, these attacks are evolving:
- Malware is now adaptive, recognizing whether it’s connected to an Android, iOS, or a vehicle.
- Some AI-enhanced malware can disguise itself as a software update.
- Others delay activation to avoid detection activating only when the car hits a certain location or after a specific time window.
- These intelligent payloads make the attack more difficult to trace and exponentially more dangerous.
Safety Tips: How to Protect Your EV and Devices
Luckily, there are simple ways to shield yourself from this emerging cyber threat.
1. Avoid Untrusted Charging Stations
- Prefer chargers from reputable EV networks (e.g., Tesla Superchargers, ChargePoint, BP Pulse).
- Avoid free or unbranded charging units in remote areas or unfamiliar parking lots.
2. Use Charge-Only USB Cables
These cables physically block data transfer, only allowing electricity to pass through. They’re inexpensive and effectively ideal for mobile phone charging in public places.
For EVs, use manufacturer-certified charging cables and avoid aftermarket add-ons or cable extensions with USB features.
3. Install In-Car Cybersecurity Software
Many modern cars now allow third-party or OEM-installed security systems that:
- Scan incoming connections
- Block unauthorized data access
- Alert drivers to suspicious activity
Think of it as antivirus software but for your car.
4. Disable Auto-Sync Features
Turn off:
- Auto Bluetooth pairing
- App sync with your car’s infotainment system
- Automatic media sharing
Especially when charging in public environments, limiting what gets shared reduces your digital footprint.
5. Update Firmware Regularly
- Keep your EV’s operating system and apps up to date.
- Check for patches from your automaker or infotainment provider.
- If you use charging network apps (e.g., PlugShare, Electrify America), update them from official app stores only.
For EV Infrastructure Providers: Secure by Design
As this threat grows, charging station manufacturers and providers must take responsibility by integrating cybersecurity from the ground up.
Recommended actions:
- Implement end-to-end encryption for all charger communications
- Use tamper-proof hardware enclosures
- Conduct penetration testing and firmware validation
- Install automatic rollback mechanisms if malware is detected
Cybersecurity must be baked into the product not bolted on later.
Charging Safely in a Connected World
EVs are the future but the security landscape around them is still maturing. Just as you wouldn’t use an unknown ATM for fear of card skimming, you should approach public EV chargers with the same caution.
Juice Jacking 2.0 is a reminder that even the most mundane digital interactions like powering up your ride can have hidden risks.
But with awareness, the right tools, and secure habits, you can enjoy the convenience of EVs without opening the door to cybercrime.