By Philippe Lin
A simple electric vehicle (EV) charger can become a fire hazard in your garage. Researchers from Trend Zero Day Initiative™ (ZDI), Jonathan Andersson and Thanos Kaliyanakis, revealed this risk during their session, “Peril at the Plug: Investigating EV Charger Security and Safety Failures” at Black Hat USA 2025. Their findings showed that the blind trust between EV chargers and vehicles can cause chargers to operate far beyond their designed safety limits – resulting in the charging cables overheating and, in some cases, bursting to into flames.
A flawed digital handshake
When you plug a charging cable into your EV, a digital “handshake” takes place. During this exchange, the charger and the vehicle negotiate the charging speed, specifically the amount of current the car is allowed to draw. The charger announces its maximum capacity, and the car signals agreement by using pulse width modulation (PWM) to set the rate.
The vulnerability lies here: the charger inherently trusts the vehicle’s side of the conversation, and this trust can be exploited as PWM signals can be hijacked by malicious actors or disrupted via electromagnetic interference and other periodic sources.
To demonstrate the risk, the researchers tested eight EV chargers, including those that had been previously featured in the Pwn2Own Automotive contests such as the Autel MaxiCharger (Maxi US AC W12-L-4G), ChargePoint Home Flex (Model CPH50), WOLFBOX Level 2 EV Charger, Ubiquiti Connect EV Station, Enel X Way JuiceBox 40, Tesla Wall Connector, and Emporia EV Charger Level 2. They wanted to observe what would happen if a compromised charger was forced to operate beyond its designed current limit.
Using a custom-built 27.5kW test fixture, which costs about $5,000, they instructed each charger to deliver 80 amps of current, the maximum possible for a Level 2 charger. While this current is acceptable for many modern EVs, the tested chargers were rated only for 40A or 48A. All of them attempted to supply the full 80A anyway.
The result: all tested chargers delivered 220V at 80A (~16kW), causing their charging cables to enter thermal runaway. With temperatures soaring to 177°C (350°F), several cables overheated, melted, and burst into flames. None of the chargers had hardware-based overcurrent protection, and one even provided false telemetry, reporting a much lower current draw while it was actively overheating.
Figure 1. The charging cable of an EV charger burst into flames after the device exceeded its rated current, triggering a thermal runaway. Image courtesy of Trend Zero Day Initiative™ (ZDI)
Compliance is not enough
All the tested chargers were compliant with national and international standards, including the household circuit breakers typically installed to protect them. At first glance, this should mean these devices are safe. However, the researchers’ findings show that compliance doesn’t necessarily guarantee protection against every potentially hazardous scenario.
For example, under the National Electrical Code’s “80% rule,” which requires continuous loads such as EV chargers to draw no more than 80% of a circuit’s rated capacity, a 48A charger is typically installed on a 60A circuit breaker. In the researchers’ test scenario, forcing the charger to draw 80A would eventually trip this breaker, but only after an hour. This is a risky window when a charging cable can overheat and ignite, especially if the EV is plugged in overnight.
An overcurrent situation not only causes the charging cable to catch fire but also risks damaging the EV itself, underscoring why automotive cybersecurity must also account for physical safety impacts when compromised systems can lead to real-world hazards.
Mitigations and safety recommendations
VicOne agrees with the researchers’ call to action that manufacturers should implement hardware-based overcurrent protection circuits that physically prevent EV chargers from exceeding their rated current limits, regardless of what the PWM signal requests. These safeguards would provide a critical layer of safety, independent of software vulnerabilities or protocol misconfigurations.
While manufacturers must address the root cause, EV owners can also take practical steps to improve safety:
- Disconnect from the network. For maximum security, disconnect home EV chargers from all networks such as Wi-Fi, Ethernet, Bluetooth, and 4G/5G connections, to reduce their attack surface.
- Don’t coil the vable. Never leave the charging cable coiled while in use, as this traps heat and accelerates overheating in fault scenarios. Laying the cable on a concrete surface can also help dissipate heat.
- Shorter is better. While longer cables may be more convenient, shorter ones reduce resistance and lower the risk of heat buildup.
- Buy 80A. Consider purchasing an EV charger rated for the full 80A protocol capacity and install it on a corresponding 100A circuit breaker to give your setup more safety headroom.
This research is a stark reminder that as devices, including EV chargers, become increasingly connected and software-defined, how they can fail also multiply, sometimes in unexpected ways. A simple hardware backstop, such as overcurrent protection, is almost always inexpensive, but can provide non-negotiable safety for both users and their vehicles.
