At Black Hat Asia, Hetian Shi of Tsinghua University typed an EV-charger ID into a script fed by a tool he built, and — within a second or two — the app’s green “available” icon for that port turned grey. The audience applauded.
Hetian Shi’s demonstration at Black Hat Asia
Shi, identified in the source material as a hardware and IoT security researcher at Tsinghua University, presented his findings on Friday at the Black Hat Asia conference. With permission for his probes and ethical disclosure of results, he used an iOS app for a Chinese public electric-vehicle charging provider to demonstrate a practical interruption of service. He asked the audience to nominate a Chinese city (Shanghai was the popular choice), located chargers in People’s Square, selected an available port, entered its ID into a script and watched the app change the charger’s icon from green (available) to grey (disabled).
IDScope: the tool and the attack path demonstrated
Shi said he developed a tool called “IDScope” to automate exploitation of the vulnerabilities he found. In the demonstration, IDScope drove a script that referenced a charger’s ID from the provider’s app; within seconds the app showed the targeted port as disabled. Shi told the conference that the same technique, he believes, can be used to deny service at scale — potentially affecting an entire city’s network of EV chargers. The demonstration drew spontaneous applause from audience members, including those from Chinese-speaking regions; the app presented in the demo was in Chinese and, as the correspondent covering the talk noted, they could not read it.
Firmware and backend failures: UART/debug ports, shared keys, weak authentication
Across rentable IoT devices — examples cited include public EV chargers and shared e-bikes/scooters — Shi reported finding hardware and software weaknesses that eased inspection and exploitation. He discovered rentable devices that included either a debugging port or a UART connector that simplifies examination for an educated attacker. His probes yielded evidence of shared authentication keys stored in device firmware and backend services that did not properly authenticate users. Shi said those combined failures made it possible to create “phantom clients” that the providers’ services could not distinguish from legitimate customers, enabling attackers to charge cars or rent scooters at zero cost and to expose personal information by compromising back-end systems.
Tests beyond China: European apps and wider applicability
Shi did not confine his testing to Chinese providers. He reported testing 11 iOS apps published by European providers of shared bikes and scooters and said the results suggested the techniques and flaws he found are likely applicable outside China. He theorized that these vulnerabilities are the result of developers prioritizing user convenience over security: “Shi theorized that the flaws he found are the result of developers trying to build services that users find convenient, at the expense of security,” the account records.
What this means for technologists, policymakers, and end users
- Technologists and security teams: The finding that devices expose UART/debugging access and store shared authentication keys in firmware signals a need to inventory device-level access paths and review firmware/key-handling practices. The presence of backend services that don’t properly authenticate users points to gaps in API and session controls that defensive teams will want to validate.
- Policymakers and regulators: Demonstrations that denial-of-service-style interruptions can be mounted against public EV chargers and rentable micro-mobility fleets raise questions about operational resilience for public infrastructure and services that municipal authorities rely on. The researcher’s claim that an entire city’s chargers could be taken out at scale frames potential public-safety and consumer-protection considerations.
- End users and operators of rentable services: Shi’s work showed practical consequences for consumers (chargers appearing disabled, phantom clients enabling free rentals) and for operators (exposure of customer personal information). Operators who prioritize convenience in apps and device deployments may inadvertently widen attack surfaces that affect availability and privacy.
Shi’s demonstration and his published tool, IDScope, turned an abstract risk — rented IoT devices being easy to inspect and tamper with — into a visible, repeatable action on a public app. He said the flaws he found stem from design choices favoring ease of use, and his tests across Chinese and European providers suggest the problem is not geographically isolated. The concrete next step the demonstration implies is straightforward: device and service operators must treat accessible hardware ports, stored firmware keys, and backend authentication as active attack surfaces rather than benign convenience features.
