Security researchers presenting at Black Hat Asia have demonstrated that weak cybersecurity practices in public electric vehicle charging networks and shared e-bike systems could allow attackers to disable entire fleets of devices across a city, raising urgent concerns about the resilience of fast-expanding urban IoT infrastructure.
Public EV charging networks and shared micromobility services are leaving themselves dangerously exposed to large-scale denial of service attacks by prioritising user convenience over robust security design, according to research presented at the Black Hat Asia security conference.
Researchers demonstrated the vulnerabilities using systems deployed in China, but cautioned that the underlying design flaws are likely common to similar infrastructure worldwide. The findings spotlight a growing tension in the Internet of Things sector: the pressure to make connected services frictionless for consumers frequently comes at the expense of the security controls needed to protect them.
The attack scenarios outlined at the conference suggest that a sufficiently motivated adversary — whether a criminal group, a disgruntled individual, or a state-sponsored actor — could exploit these weaknesses to simultaneously knock out public charging stations across an urban area. For cities increasingly dependent on EV infrastructure to meet climate and transport goals, such an outage could have cascading consequences for commuters, delivery services, and emergency response vehicles.
Shared e-bikes and other rented IoT devices face similar risks, according to the researchers, with weak authentication and insufficient network segmentation identified as recurring problems across platforms.
The disclosure follows years of warnings from the cybersecurity community that the rapid commercialisation of IoT devices has consistently outpaced efforts to secure them. Manufacturers and platform operators have often treated security as a secondary concern, implementing minimal protections in order to reduce costs and speed deployment.
The researchers did not publicly name specific vendors affected, a common practice in responsible disclosure designed to give companies time to address vulnerabilities before details are made widely available. It remains unclear whether the relevant operators have been notified or have begun remediation work.
The findings add to a growing body of evidence that critical urban infrastructure — ranging from traffic management systems to power grids — faces meaningful cybersecurity risks as cities integrate more connected technology into everyday services. Security experts have long argued that governments need to establish and enforce minimum security standards for IoT devices used in public-facing roles, rather than leaving protection to the discretion of individual vendors.
Analysis
Why This Matters
- Public EV charging infrastructure is expanding rapidly in cities worldwide; a successful large-scale attack could disrupt transport networks, strand EV drivers, and undermine public confidence in the technology at a critical moment for electrification policy.
- The vulnerability class described — convenience-driven design that sacrifices security — is endemic across the IoT sector, meaning the risk extends well beyond EV chargers to smart city systems broadly.
- Governments and regulators are under increasing pressure to mandate baseline cybersecurity standards for connected infrastructure before attacks, not after them.
Background
The Internet of Things security problem is not new. As far back as 2016, the Mirai botnet demonstrated how poorly secured connected devices — in that case, home routers and cameras — could be weaponised at massive scale to take down major internet services. Despite widespread alarm, the market largely failed to self-correct, and successive waves of IoT devices have shipped with inadequate protections.
EV charging networks represent a newer frontier. The global push to electrify transport has seen rapid deployment of public chargers, often managed by startups and platform operators prioritising growth over security maturity. Regulatory frameworks in most jurisdictions have not kept pace, with few mandatory security requirements for EV charging hardware or the software platforms managing them.
China has emerged as one of the world's largest markets for both public EV charging and shared micromobility, making it a natural test bed — but the research community has consistently warned that the same architectural weaknesses are replicated in Western markets.
Key Perspectives
Security researchers: The demonstrated vulnerabilities represent a systemic design failure, not isolated bugs. Operators must adopt security-by-design principles and independent auditing from the outset, rather than bolting on protections after deployment.
IoT operators and EV charging companies: Industry representatives have generally argued that the threat landscape for physical charging infrastructure differs from high-value targets like financial systems, and that implementing stronger security adds cost and friction that can slow adoption of green transport.
Critics/Skeptics: Security analysts counter that the "low-value target" assumption is precisely the thinking that makes IoT infrastructure attractive to attackers seeking to cause disruption at scale. They warn that without regulatory intervention, market incentives will continue to favour convenience over security.
What to Watch
- Whether affected vendors identified in the research issue patches or public statements following the Black Hat Asia disclosure.
- Regulatory developments in the EU, UK, US, and Australia around mandatory cybersecurity standards for public EV charging infrastructure, particularly as EV adoption targets tighten.
- Any real-world incidents involving coordinated disruption of EV charging networks, which would validate the researchers' threat model and likely accelerate policy responses.