old-main-iaria-template.tex

\documentclass[conference,flushend]{iaria} % (based on IEEEtran.cls)
% The class iaria.cls loads biblatex/biber with correct IARIA settings
% as well as a set of common packages (times, inputenc[utf8], fontenc[T1],
% graphicx, xcolor, url, orcidlink, hyperref, extdash[shortcuts])

\usepackage{subfigure}
\usepackage{csquotes}
\usepackage{svg}
\usepackage{float}

% prevent overflowing URLs in bibliography
\usepackage{xurl}

\DeclareFieldFormat*{url}{}
\DeclareFieldFormat[misc]{url}{\mkbibacro{URL}\addcolon\space\url{#1}}
\DeclareFieldFormat*{urldate}{}
\DeclareFieldFormat[misc]{urldate}{\mkbibparens{\bibstring{urlseen}\space#1}}

\addbibresource{references.bib}
\title{Discharge Attacks on Electric Vehicles}
\author{
  \IEEEauthorblockN{%
    Jakob Löw\orcidlink{0009-0006-7088-8684}, Dominik Bayerl\orcidlink{0000-0003-0439-066X}, Kevin Mayer\orcidlink{0000-0002-5597-3913}, Hans-Joachim Hof\orcidlink{0000-0002-6930-9271}}
  \IEEEauthorblockA{%
    CARISSMA Institute of Electric, Connected and Secure Mobility \\
    University of applied sciences Ingolstadt \\
    Ingolstadt, Germany \\
    e-mail: {\tt$\lbrace$jakob.loew\,|\,dominik.bayerl\,|\,hof$\rbrace$@thi.de, kevin.mayer@fau.de}
} }
\begin{document}
\maketitle
\begin{abstract}
In the recent years sale numbers of electric vehicles have skyrocketed. Fueled by rising gas prices and goverment incentives many companies as well as private car owners have switched from internal combustion engine vehicles to battery electric vehicles.
Even though todays battery electric vehicles come with very large batteries, as of today they are only charged from the grid and then used for traveling.
In this paper we discuss the possibility of discharging the battery of electric vehicles for both powering local consumers as well as stabilizing the grid.
We show how this can be achieved using off the shelf components, rather than expensive application specific hardware.
We also show how this approach can be abused as an attack in order to steal energy and immobilize parked vehicles.
\end{abstract}
\begin{IEEEkeywords}
charging; fast charging; ccs; iso15118; DC charging; electric vehicle; vehicle charging.
\end{IEEEkeywords}

\section{Motivation}

\section{Battery charging standards} \label{sec:iso15118}
% TODO: modify text (currently copy pasta from securware paper)
% add DIN SPEC
% remove unimportant parts
% maybe split this into multiple subsections? e.g.:
%      - add overview over iso15118/dinspec/-2/-20/chademo/gbt
%      - one section with a schematical connection diagram (battery, charging station, communication lines, power lines etc., probably split up evse into internal components)
%      - move charging station design (AC vs DC) here?
%      - one section is dinspec/iso15118 basic steps

While charging a vehicle with AC requires little to no communication,
DC charging stations on the other hand are required to communicate to the vehicle for properly supplying the correct voltage and power to the battery.
For this high level communication, the industry standard ISO15118 \cite{isoiec_isoiec_2012} was created, enabling interoperability between different vehicle manufacturers and charging station vendors.
The standard is based on more or less common standards for all layers of the Open System Interconnect (OSI) model:
After the initial handshake of the low level communication, as described in the previous section, the charging station signals the vehicle to use high level communication by supplying a PWM duty cycle of 5\%.
Afterwards, a powerline communication is modulated on top of the PWM signal between the charge pilot and protective earth.
To prevent crosstalk problems \cite{li_crosstalk_2019, theethayi_parameters_2003, ngo_bisse_crosstalk_2023} usually arising with powerline communication, ISO15118-3 \cite{isoiec_isoiec_2012-1} describes \enquote{Signal Level Attentuation Characterization} (SLAC).
SLAC measures the interference on the powerline communication line as well as matches vehicles with their nearest charging station connected to the powerline and exchanges a network key for encryption.
Once powerline communication is established, IPv6 with link-local stateless autoconfigured addresses is used on top for communication between the charging station and the vehicle.
While the ISO15118-2 standard \cite{isoiec_isoiec_2012} itself is based on the Transmission Control Protocol (TCP), first a User Datagram Protocol
(UDP) broadcast service discovery is used for exchanging IPv6 addresses as well as the port to connect to.
Afterwards the TCP connection is established, and from there on used for transmitting actual payloads required for starting a charging session and controlling charging limits.
For encoding payloads on this TCP connection the standard defines a \enquote{Vehicle to Grid Transfer Protocol} (V2GTP) packet format, which apart from some metadata contains one large payload blob encoded in the \enquote{Efficient XML Interchange} (EXI) format.

The ISO15118-2 standard defines a list of request messages sent from the vehicle to the charging station and corresponding response messages sent from the charging station to the vehicle.
Before charging can start, payment and precharging have to be performed.
For payment, the vehicle first asks the charging station for supported payment methods.
As of today, mostly the \verb'external' payment method is used, which requires the user to pay through an app, RFID card or electronic cash.
The standard also supports certificate based authentication, which will be covered in the next section.

After payment was successful, the charging station performs insulation checks on the charging cable.
Afterwards, the precharge procedure is initiated.
During precharge, the charging station supplies a voltage to the charging cable, without the main battery contactor relay being closed in the vehicle.
The precharging procedure makes sure the voltage present at the cable matches the battery voltage, reducing in rush current and reducing wear on the contactor relay.

After precharging the main charge loop is initiated, consisting of two packets used repeatedly: \verb'CurrentDemandReq' and \verb'CurrentDemandRes'.
The first one is sent by the vehicle to request a specific voltage and current flowing into the vehicles battery.
The latter one is sent by the charging station informing the vehicle about currently measured voltage and current as well as the charging stations limits.
For example, the car might request a voltage of $369V$ and a maximum current of $400A$ resulting in a desired charging power of $148kW$.
While the voltage has to be met, depending on the charging stations maximum output power the current might be lower than the requested value, resulting in a slower charging speed.

This main charge loop is repeated until one of the two parties terminates the charging session, opening the main contactor and disabling all current flowing into the battery.

\section{ISO15118 Connections Overview}
% verbindung von ladesäule so EVCC & batterie
% soll deutlich machen, dass direkter Zugriff auf Batterie besteht

\section{Bidirectional wallboxes}
Wallboxes are devices used for connecting electric vehicles to the grid.
Traditionally wallboxes are only used for charging, not discharging vehicles.
While their components are similar to full blown charging stations, they usually do not come with means for accurate metering and payment.
Thus their primary difference to charging stations is their use at residential buildings and offices.
As of today a small number of companies are developing bidirectional wallboxes.
In theory there are two options differing in the kind of energy provided to the vehicle:

Bidirectional AC wallboxes, which work similarly to unidirectional AC wallboxes, where the AC to DC conversion is performed by the onboard charge controller of the vehicle.
The wallbox acts as a simple one or three phase AC plug with added connectivity.
As these kind of wallboxes are usually based on ISO15118-20, they communicate with the vehicle commanding it to drain or feed in power on the AC lines at a specific rate.
Thus these kind wallboxes have no special V2L electronics, but rather act as a communication bridge between the house and the vehicle.

DC bidirectional wallboxes however have to perform the conversion from DC power taken from the battery to AC power delivered to the grid and vice versa.
While the required power electronics make DC wallboxes significantly more expensive, they are currently the only available models.
The simple cause for this fact is missing and unclear regulation towards vehicles feeding power into the grid, as well as most vehicles today being unable to provide AC power to an existing grid.

\section{Discharging vehicles using ISO15118-2}
Bidirectional charging was introduced in ISO15118-20.
In theory older vehicles which only support -2 or the old DIN SPEC standard and do not support the new -20 standard do not support discharging.
With -2 charging, the vehicle reports a voltage and current demand to the charging station, the charging station then has to provide the requested voltage and can provide a current up to the given maximum transmitted by the vehicle.
In reality this means when following the standard, there is no way for the vehicle to signal a maximum discharge current.

For a rogue charging station it is however still possible to drain energy because of the electrical details of DC fast charging:
After the ISO15118-2 connection has been established and the initialization steps have been passed succesfully, the vehicle directly connects the battery to the DC poles of the charge port, giving the charging station direct access to the battery.
This is normally done, because the power converters of stationary fast charging stations are more powerful than the power converters included in the car, allowing to reach higher charging powers.
With direct access to the battery a rogue charging station can not only charge, but potentially also discharge the battery of the vehicle.

While in theory vehicles could detect this abnormal behaviour of a rogue charging station by measuring the direction of current flow, our tests show that todays vehicles do not immeadeatly prevent charging stations from discharging their batteries.
Our tests show, that some vehicles cancel the charging session after a significant amount of energy has been drain from the battery.
The attacker can however simply restart the charging process and continue discharging the battery.

\section{Threat and Attacker Models}
% copy some from https://doi.org/10.1007/s00450-017-0342-y
% additional discharge specific

\section{Vehicle Compatibility Test Procedure}
% explain Dr. Cunnigunde
% explain test procedure

% 1. anstecken
% 2. spannung prüfen (HV ohne kommunikation?)
% 3. SLAC/SDP/ISO15118 cycle ohne precharge
% 4. SLAC/SDP/ISO15118 cycle mit 100V DC precharge
% 5. SLAC/SDP/ISO15118 cycle mit korrektem precharge
% 6. SLAC/SDP cycle mit TLS enforcing

% werte notieren:
% - precharge spannung
% - precharge kapazität
% - min/max spannungen
% - unterstützte Protokolle (DIN Spec, ISO15118-2, ISO15118-20)
% - batterie kapazität
% - kann TLS? (im SDP request)
% - kann discharge?
% - bricht ab bei discharge?

\section{Vehicle Compatibility}
% TODO create table with data from dresden + more

\section{Concept for a bidirectional wallbox using off the shelf components}
Internally a bidirectional charging station uses the DC charging port of an electric vehicle.
Since in DC charging and discharging scenarios, the wallbox is directly connected to the vehicle battery, the wallbox itself controls the current flowing from or into the battery.
From an electrical perspective this DC connection between wallbox and battery is identical to traditional second life applications, with the only difference being the communication standards used are based on ISO15118 rather than proprietary in vehicle bus systems.
A bidirectional wallbox thus consists of three major components:
\begin{itemize}
    \item A battery charger capable of transforming AC energy from the grid to DC energy for charging the battery.
    \item An inverter capable of transforming the DC energy from the battery to grid synchronized AC energy.
    \item A communication and control logic handling communication with the vehicle, as well as controlling the charger and inverter components.
\end{itemize}
Since the first two components required are identical to traditional second life applications, our prototype uses the same hardware as the battery emulator\cite{battery_emulator} described in section \ref{sec:secondlifesolutions}.
While this battery emulator uses a CAN to Modbus adapter PCB our prototype requires additional hardware implementing the low level resistor communication as well as the high level powerline based communication described in section \ref{sec:iso15118}.
The Fronius inverters used are currently available between 900€ (3kW) up to 1800€ (10kW). Together with wiring and communication hardware the cost for our prototype lands around 2500€, which is still significantly cheaper than all DC wallbox available on the market today.

\section{Accesing the charge port}
% problem: charge port not accessible (closed)
% options: (a) break open, (b) broken wire attack to stop charge (c) ladeport aufbrechen

\section{Conclusion}

\section*{Acknowledgment}
This work was created in the research project \enquote{Elektromobiles Sicheres Laden} (ESiLa) funded by the Bavarian Ministry of Economic Affairs, Regional Development and Energy under grant DIK0512/01.

\printbibliography
\end{document}