If OCPP communication is intercepted by a man-in-the-middle, could it be remotely initiated to start charging and steal electricity fees?

If OCPP communication is intercepted by a man-in-the-middle (MITM) attack, there is indeed a risk of remote charging activation and electricity theft, but this is limited to OCPP 1.6J scenarios with improper configuration. OCPP 2.0.1 has fundamentally blocked such attacks through a triple mechanism: bidirectional TLS 1.3, certificate pinning, and secure event reporting.

1. Attack Path: How MITM Steals Electricity Bills

Scene 1: Fake Platform Issues Launch Instructions

• The attacker hijacks DNS or performs ARP spoofing to trick the charging pile into connecting to a forged platform. The pile then sends a StartTransaction message, mistakenly identifying it as legitimate authorization to begin charging, resulting in the electricity cost being charged to the victim's account or a stolen payment card.

Scenario 2: Session Replay Attack

• Intercept the StartTransaction message from a legitimate platform and replay it after the owner leaves the vehicle. The charging station, failing to verify the timestamp or sequence number, initiates charging again.

Scene 3: Firmware Tampering and Backdoor Implantation

• Exploit the unsigned firmware upgrade channel to implant malicious firmware, enabling the meter to automatically activate under specific conditions (such as nighttime) and steal electricity over an extended period.

2、 Vulnerability of OCPP 1.6J

Clear text transmission risk

• Part of the 1.6J implementation uses plaintext WebSocket (ws://instead of wss://), which exposes the message directly and allows attackers to read, tamper with, and inject instructions without cracking it.

The blind spots of one-way TLS

• Even if TLS 1.2 is enabled, if only the client verifies the server certificate (one-way TLS), attackers can pass the verification using any domain certificate issued by a legitimate CA, and the platform cannot recognize its authenticity.

Lack of security mechanism

• Pinning without certificates, trust anchor can be replaced;

• No message signature, no defense against replay attacks;

• No security incidents reported, and the platform is not aware of the attack after it occurs.

3、 The defense system of OCPP 2.0.1

Mutual TLS 1.3 (mTLS)

• The pile and platform mutually verify the X.509 certificate, and the private key is stored in the secure chip and cannot be exported. Attackers are unable to forge both certificates simultaneously, and once a connection is established, it is detected.

Fixed certificate (Pinning)

• Pre installed platform certificate public key fingerprint for pile firmware, mandatory comparison during connection, immediate alarm and offline protection mode for any mismatch, blocking certificate chain attacks.

Message Security Extension

• JSON Web Signature (JWS): Each message is accompanied by a digital signature, which becomes invalid if tampered with;

• Serial number and timestamp: replay attacks are discarded due to expiration or duplication;

• Security Event Notification: Real time reporting of abnormal behavior to the platform, triggering certificate revocation or device ban.

4、 The last line of defense at the motherboard level

Even if the communication layer is breached, qualified motherboards still have hardware protection:

• Independent safety core: The relay driver is controlled by a dedicated MCU and isolated from the communication CPU. Network instructions need to be verified by the local state machine (CC/CP detection, user authorization records);

• Physical locking: During charging, the electromagnetic lock locks the gun head, and forcibly pulling out the gun triggers an emergency stop;

• Power hard limit: The power on the motherboard nameplate is set by hardware resistors and cannot be exceeded by firmware.

5、 One sentence summary

MITM's theft of electricity bills exists in OCPP 1.6J plaintext or one-way TLS scenarios, but the mutual authentication, certificate fixation, and message signature of OCPP 2.0.1 have been fundamentally blocked; The safety core isolation and physical locking at the motherboard level of the charging station are the last line of defense that cannot be crossed by network attacks. Mandatory 2.0.1 after 2026, such attacks will become history.

The communication charging pile motherboard produced by Xincheng Technology is of high quality and beautiful price. Welcome to inquire and purchase!