TY  - EJOU
AU  - Kim, Yu-Bin 
AU  - Shin, Dong-Hyuk 
AU  - Euom, Ieck-Chae 

TI  - Comprehensive Black-Box Fuzzing of Electric Vehicle Charging Firmware via a Vehicle to Grid Network Protocol Based on State Machine Path
T2  - Computers, Materials \& Continua

PY  - 2025
VL  - 84
IS  - 2
SN  - 1546-2226

AB  - The global surge in electric vehicle (EV) adoption is proportionally expanding the EV charging station (EVCS) infrastructure, thereby increasing the attack surface and potential impact of security breaches within this critical ecosystem. While ISO 15118 standardizes EV-EVCS communication, its underspecified security guidelines and the variability in manufacturers’ implementations frequently result in vulnerabilities that can disrupt charging services, compromise user data, or affect power grid stability. This research introduces a systematic black-box fuzzing methodology, accompanied by an open-source tool, to proactively identify and mitigate such security flaws in EVCS firmware operating under ISO 15118. The proposed approach systematically evaluates EVCS behavior by leveraging the state machine defined in the ISO 15118 standard for test case generation and execution, enabling platform-agnostic testing at the application layer. Message sequences, corresponding to valid and mutated traversals of the protocol’s state machine, are generated to uncover logical errors and improper input handling. The methodology comprises state-aware initial sequence generation, simulated V2G session establishment, targeted message mutation correlated with defined protocol states, and rigorous response analysis to detect anomalies and system crashes. Experimental validation on an open-source EVCS implementation identified five vulnerabilities. These included session integrity weaknesses allowing unauthorized interruptions, billing manipulation through invalid metering data acceptance, and resource exhaustion vulnerabilities from specific parameter malformations leading to denial-of-service. The findings confirm the proposed method’s capability in pinpointing vulnerabilities often overlooked by standard conformance tests, thus offering a robust and practical solution for enhancing the security and resilience of the rapidly growing EV charging infrastructure.
KW  - Internet of Things (IoT) security; risk assessment; data privacy; fuzzing test; electric vehicle charger security

DO  - 10.32604/cmc.2025.063289