SlideShare a Scribd company logo
1 of 50
We will charge you. How to [b]reach
vendor’s internal network using
electric vehicle charging station
Dmitry Sklyar
@d_skljar
1
Whoami
2
• Application security specialist, Security Assessment
@kl_secservices
• Hardware research
• Reverse engineering
• IoT and ICS protocols
3
Entering the new era
4
Charge Point Home
5
Marketing style
6
Communication scheme
7
Charger – Electric
Vehicle (EV)
interface220V
~
relay
Android application
8
Communications with app
9
Internet
Inactivated state
Activated state
Android application analysis
10
• Uses Bluetooth to communicate
with charger
• “Just works” pairing method
implemented – no PIN code,
passwords, etc.
• HCI logs
• Can be easily collected on
Android
• Can be viewed with Wireshark
• Simple RFCOMM protocol
Commands from HCI log
11
1. Get_version – returns charger’s firmware version
2. Configure – sets maximum allowed current
consumption and charger’s power supply type (plug-in
or hardwired)
3. Get_wifi_networks
4. Connect_to_wifi
5. Register_with_nos – commands charger to send the
information about smartphone’s coordinates and mobile
application account id to the backend server
6. Shutdown_Bluetooth – disables the Bluetooth service
ResetToFactoryDefaultsActivity
12
private void a() {
this.a = new FlashSequence();
if (PermissionUtil.requestCameraPermission(this, true)) {
return;
}
try {
var1_1 = this.a.a();
...
13
Charger
14
Open TCP Ports
15
23 BusyBox telnetd
443 SSL with mutual authentication
55557 SSL with mutual authentication
HW Revision
16
2 boards with separate CU’s
1. Power board –vehicle
signaling interface control,
current measurement
2. Panda board – wireless
communications (mobile app,
backend)
Power board
17
1. MCU, MSP430
TI 6BATG4MSP430 F67691
2. Panda board socket
3. Mechanical relay
TE T92S7D12-12
4. Debug socket
5. LED and photodiode
6. Power plug terminal strip
7. Vehicle outlet terminal
strip
Panda board
18
1. MPU, ARM
Atmel AT91SAM9N12
2. Wireless communication
module
ISM43341-L77
3. Debug socket (JTAG)
4. External DDR RAM 1 GB
Micron 6WM17 D9RZT
5. NAND FLASH 512 MB
Micron 4XD12 NW196
JTAG tool chest
19
Playing with JTAG 1: Reading NAND
20
• Programmed in (every) Atmel MPU
• Contains procedure that reads NAND
pages in fixed buffer in internal
SRAM
• Procedure can be invocated in cycle
with JTAG
BootROM AT91Bootstrap U-Boot Kernel
NAND Layout
21
• Parameter section has proprietary format and
is parsed during device’s boot
• Every parameter produces one file in
/var/config directory
AT91-bootstrap
Linux image 1
UBI opt volume
UBI data volume
Linux image 2
UBI otavdata volume
U-boot
Kernel args
SSH key recovery partition
Kernel v.3.10.0
UBI rootfs volume
Parameter section
Playing with JTAG 2: Root With Telnet
22
• Procedure that verifies the
input password located in
the Busybox
• We can invert result of the
verification by changing the
outlined instruction with
JTAG
Wi-Fi
SSL (ports 443 and 55557)
23
SSL services
24
SSL
HTTP
 stunnel
 mutual authentication
 server s private key encrypted
 Thttpd
 No actual web content
 CGI interface
Telnet
 Busybox
Certificates
25
system.crtca.crt
• Certificate authority • SSL server certificate
• Stored with private key
• Private key is encrypted, but
everything for the decryption is
available
Certificate decryption key
26
• Decryption is done by
stunnel
• Here is the code, that
generates the decryption
key
• We can download the key
from the memory after the
function execution (JTAG)
SSL Bypass
27
WEB
system.crt
Certificates
28
system.crt
ca.crt
Subject:
C = US, ST = CA, O = "Coulomb Technologies, Inc.", OU = Engineering,
CN = 0024b100000265f1.chargepoint.net,
emailAddress = ca@chargepoint.net
X509v3 Authority Key Serial:
B4:9F:86:A8:76:18:8A:33
Serial Number:
B4:9F:86:A8:76:18:8A:33
Subject:
C = US, ST = CA, O = "Coulomb Technologies, Inc.",
OU = Engineering,
CN = ca.chargepoint.net, emailAddress = ca@chargepoint.net
CGI
29
dwnldlogsm
 downloading logs
uploadsm
 uploading
configuration
getsrvr
 misc. commands
Command format
30
rbt|6|253|0024B100000265F1|1519308070|0|1|111|rbt
cmd
tag
seq
num
cmd
unique code
charger’s S/N
timestamp
outlet num
cmd specific
parameters
cmd
tag
Vulnerabilities 1
31
Arbitrary file write in uploadsm
sprintf(path, "%s%s", "/otavdata/", newFilePath);
fopen (path,”wb”);
No verification against “../ sequence in file path
Substring from the input
Vulnerabilities 2
32
OS command injection in uploadsm
Vulnerabilities 3
33
Stack buffer overflow in getsrvr and uploadsm
sscanf(&input,"%[^|]|%d|%d|%16s|%ld|%d|%d|%d|%[^|]|%[^|]|
%s",&v1,%v2,…,&v11)
Input commands are parsed without length checking
ASLR Bypass Details
34
• Stack is executable, but its position is randomized
• ~512 possible positions
• ~350 tries to guess position with 50% prob.
• 2 seconds per try
• 15 minutes in average for successful payload launch
Wi-Fi
SSL (ports 443 and 55557)
Communications with backend
35
Control server communications
36
GET /ws-prod/panda/v1 HTTP/1.1
…
Host: homecharger.chargepoint.com
…
Sec-WebSocket-Protocol: ocpp2.0
Sec-WebSocket-Extensions:
Sec-WebSocket-Version: 13
Backend
Internet
OCPP2.0(ChargePoint edition)
37
• Based on OCPP1.6
• Messages are encapsulated into standard OCPP packets
• Uses encrypted connection (TLS)
• Device’s TLS certificate is the same, that is used as webserver’s
certificate (system.crt)
Stack buffer overflow
38
sscanf(input,"%[^|]|%d|%d|%16s|%ld|%d|%d|%16s|%s",&v1,&v2,&v
3,&v4,&v5,&v6,&v7,&v8,&v9);
Commands have the same format as in the CGI, that leads to
the same vulnerability
ASLR Bypass Details
39
• ~512 possible positions
• ~350 tries to guess position with 50% prob.
• Reboot is occurring every 4 process crashes
• ~1 minute per try
• About 6 hours in average for successful payload launch
• A lot of special effects due to reboots
Wi-Fi
SSL (ports 443 and 55557)
Communications with backend
Way to the vendor’s network
40
sshrevtunnel.sh
41
while true; do
ssh -o "StrictHostKeyChecking no" -o "ExitOnForwardFailure yes"
$REVSYSTEMPORT -N -T -R $REVPORT:localhost:23 $REVHOST &
done
$REVPORT is calculated based on chargers S/N
$REVHOST is hardcoded for each year of production
#!/bin/sh
# Bring up pinned up reverse tunnel to mothership.
sshrevtunnel.sh
42
• Key-based authentication is
used, and the key is stored in
NAND in the unencrypted
form
• Potentially it's possible to rule
the mothership and the whole
swarm (out of scope)
ssh
ssh
ssh
ssh
ssh
Bluetooth
43
Bluetooth stack
44
btclassic onboadee
Bsa_server_921600
Baseband firmware
BT HCI over
UART
Vehicle interface
45
J1772 vehicle interface
46
Vehicle signalize it’s status
by closing switches:
SW1: vehicle charged
SW1&SW2: vehicle ready
for charging
SW1&SW2&SW3: vehicle
ready for charging with
ventilation
Disclosure timeline & vendor response
47
• 07-08-2018: We send all our findings to the vendor
• 21-08-2018: A detailed action plan was developed and discussed to
address the vulnerabilities found
• 14-09-2018: New firmware with all bugs fixed was released
© 2018 ChargePoint, Inc.
Information Security at ChargePoint
+ ChargePoint takes the security of our products and services seriously. We
dedicate significant resources to this area including:
• Following best practices for secure design and testing of our products
• Regular 3rd party penetration testing against our products and systems that store
sensitive data
+ Thank you Kaspersky for helping us enhance the security of our products!
• Your patience and persistence were helpful as these were the first externally-
detected vulnerabilities reported to us
• All the vulnerabilities identified have been patched
+ If you feel you have discovered a possible privacy or security vulnerability,
please contact us at security@chargepoint.com with a description of the issue.
48
Summary
49
• Several vulnerabilities in Wi-Fi and Bluetooth stacks were found
• Coordinated disclosure: all vulnerabilities were promptly fixed
• EV industry opens wide area for research:
• Transactions protocols
• EV-EVSE communication protocols
• …
Questions?
50
@kl_secservices
@d_sklyar

More Related Content

What's hot

DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
 
Project ACRN EtherCAT 101
Project ACRN EtherCAT 101Project ACRN EtherCAT 101
Project ACRN EtherCAT 101Project ACRN
 
Mathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakesMathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakesAlexander Krizhanovsky
 
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitchDPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitchJim St. Leger
 
SoC Idling for unconf COSCUP 2016
SoC Idling for unconf COSCUP 2016SoC Idling for unconf COSCUP 2016
SoC Idling for unconf COSCUP 2016Koan-Sin Tan
 
Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...SZ Lin
 
CampusSDN2017 - Jawdat: SDN Technology Evolvement
CampusSDN2017 - Jawdat: SDN Technology EvolvementCampusSDN2017 - Jawdat: SDN Technology Evolvement
CampusSDN2017 - Jawdat: SDN Technology EvolvementJawdatTI
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014Netgate
 
使用XMPP進行遠端設備控制
使用XMPP進行遠端設備控制使用XMPP進行遠端設備控制
使用XMPP進行遠端設備控制艾鍗科技
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config GuideWoo Hyung Choi
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드Woo Hyung Choi
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingMichelle Holley
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드Woo Hyung Choi
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 

What's hot (19)

DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
 
Project ACRN EtherCAT 101
Project ACRN EtherCAT 101Project ACRN EtherCAT 101
Project ACRN EtherCAT 101
 
Mathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakesMathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakes
 
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitchDPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
 
SoC Idling for unconf COSCUP 2016
SoC Idling for unconf COSCUP 2016SoC Idling for unconf COSCUP 2016
SoC Idling for unconf COSCUP 2016
 
Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...Building, deploying and testing an industrial linux platform @ Open source su...
Building, deploying and testing an industrial linux platform @ Open source su...
 
CampusSDN2017 - Jawdat: SDN Technology Evolvement
CampusSDN2017 - Jawdat: SDN Technology EvolvementCampusSDN2017 - Jawdat: SDN Technology Evolvement
CampusSDN2017 - Jawdat: SDN Technology Evolvement
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
 
1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618) 1-300-206 (SENSS)=Firewall (642-618)
1-300-206 (SENSS)=Firewall (642-618)
 
使用XMPP進行遠端設備控制
使用XMPP進行遠端設備控制使用XMPP進行遠端設備控制
使用XMPP進行遠端設備控制
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
Network Jumbo Frame Config Guide
Network Jumbo Frame Config GuideNetwork Jumbo Frame Config Guide
Network Jumbo Frame Config Guide
 
Iuwne10 S06 L03
Iuwne10 S06 L03Iuwne10 S06 L03
Iuwne10 S06 L03
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config Guide
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
 
Iuwne10 S06 L01
Iuwne10 S06 L01Iuwne10 S06 L01
Iuwne10 S06 L01
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 

Similar to We will charge you. How to [b]reach vendor’s network using EV charging station.

Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory LevyHakka Labs
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxVivek Kumar
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network AnalysisJoel W. King
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureAmazon Web Services
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asRISC-V International
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclavewolfSSL
 
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)Will Shen
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric OverviewMichelle Holley
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDNOpenStack Korea Community
 
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDNSungman Jang
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PROIDEA
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 

Similar to We will charge you. How to [b]reach vendor’s network using EV charging station. (20)

Python on Rails - Victory Levy
Python on Rails - Victory LevyPython on Rails - Victory Levy
Python on Rails - Victory Levy
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptxProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
ProjectVault[VivekKumar_CS-C_6Sem_MIT].pptx
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
Using Batfish for Network Analysis
Using Batfish for Network AnalysisUsing Batfish for Network Analysis
Using Batfish for Network Analysis
 
Five Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud ArchitectureFive Steps to Creating a Secure Hybrid Cloud Architecture
Five Steps to Creating a Secure Hybrid Cloud Architecture
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
20180717 Introduction of Seamless BLE Connection Migration System (SeamBlue)
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Tungsten Fabric Overview
Tungsten Fabric OverviewTungsten Fabric Overview
Tungsten Fabric Overview
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
 
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
20151222_Interoperability with ML2: LinuxBridge, OVS and SDN
 
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
PLNOG15: Simplifying network deployment using Autonomic networking and Plug-a...
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 

More from DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 

More from DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

We will charge you. How to [b]reach vendor’s network using EV charging station.

  • 1. We will charge you. How to [b]reach vendor’s internal network using electric vehicle charging station Dmitry Sklyar @d_skljar 1
  • 2. Whoami 2 • Application security specialist, Security Assessment @kl_secservices • Hardware research • Reverse engineering • IoT and ICS protocols
  • 4. 4
  • 7. Communication scheme 7 Charger – Electric Vehicle (EV) interface220V ~ relay
  • 10. Android application analysis 10 • Uses Bluetooth to communicate with charger • “Just works” pairing method implemented – no PIN code, passwords, etc. • HCI logs • Can be easily collected on Android • Can be viewed with Wireshark • Simple RFCOMM protocol
  • 11. Commands from HCI log 11 1. Get_version – returns charger’s firmware version 2. Configure – sets maximum allowed current consumption and charger’s power supply type (plug-in or hardwired) 3. Get_wifi_networks 4. Connect_to_wifi 5. Register_with_nos – commands charger to send the information about smartphone’s coordinates and mobile application account id to the backend server 6. Shutdown_Bluetooth – disables the Bluetooth service
  • 12. ResetToFactoryDefaultsActivity 12 private void a() { this.a = new FlashSequence(); if (PermissionUtil.requestCameraPermission(this, true)) { return; } try { var1_1 = this.a.a(); ...
  • 13. 13
  • 15. Open TCP Ports 15 23 BusyBox telnetd 443 SSL with mutual authentication 55557 SSL with mutual authentication
  • 16. HW Revision 16 2 boards with separate CU’s 1. Power board –vehicle signaling interface control, current measurement 2. Panda board – wireless communications (mobile app, backend)
  • 17. Power board 17 1. MCU, MSP430 TI 6BATG4MSP430 F67691 2. Panda board socket 3. Mechanical relay TE T92S7D12-12 4. Debug socket 5. LED and photodiode 6. Power plug terminal strip 7. Vehicle outlet terminal strip
  • 18. Panda board 18 1. MPU, ARM Atmel AT91SAM9N12 2. Wireless communication module ISM43341-L77 3. Debug socket (JTAG) 4. External DDR RAM 1 GB Micron 6WM17 D9RZT 5. NAND FLASH 512 MB Micron 4XD12 NW196
  • 20. Playing with JTAG 1: Reading NAND 20 • Programmed in (every) Atmel MPU • Contains procedure that reads NAND pages in fixed buffer in internal SRAM • Procedure can be invocated in cycle with JTAG BootROM AT91Bootstrap U-Boot Kernel
  • 21. NAND Layout 21 • Parameter section has proprietary format and is parsed during device’s boot • Every parameter produces one file in /var/config directory AT91-bootstrap Linux image 1 UBI opt volume UBI data volume Linux image 2 UBI otavdata volume U-boot Kernel args SSH key recovery partition Kernel v.3.10.0 UBI rootfs volume Parameter section
  • 22. Playing with JTAG 2: Root With Telnet 22 • Procedure that verifies the input password located in the Busybox • We can invert result of the verification by changing the outlined instruction with JTAG
  • 23. Wi-Fi SSL (ports 443 and 55557) 23
  • 24. SSL services 24 SSL HTTP  stunnel  mutual authentication  server s private key encrypted  Thttpd  No actual web content  CGI interface Telnet  Busybox
  • 25. Certificates 25 system.crtca.crt • Certificate authority • SSL server certificate • Stored with private key • Private key is encrypted, but everything for the decryption is available
  • 26. Certificate decryption key 26 • Decryption is done by stunnel • Here is the code, that generates the decryption key • We can download the key from the memory after the function execution (JTAG)
  • 28. Certificates 28 system.crt ca.crt Subject: C = US, ST = CA, O = "Coulomb Technologies, Inc.", OU = Engineering, CN = 0024b100000265f1.chargepoint.net, emailAddress = ca@chargepoint.net X509v3 Authority Key Serial: B4:9F:86:A8:76:18:8A:33 Serial Number: B4:9F:86:A8:76:18:8A:33 Subject: C = US, ST = CA, O = "Coulomb Technologies, Inc.", OU = Engineering, CN = ca.chargepoint.net, emailAddress = ca@chargepoint.net
  • 29. CGI 29 dwnldlogsm  downloading logs uploadsm  uploading configuration getsrvr  misc. commands
  • 31. Vulnerabilities 1 31 Arbitrary file write in uploadsm sprintf(path, "%s%s", "/otavdata/", newFilePath); fopen (path,”wb”); No verification against “../ sequence in file path Substring from the input
  • 32. Vulnerabilities 2 32 OS command injection in uploadsm
  • 33. Vulnerabilities 3 33 Stack buffer overflow in getsrvr and uploadsm sscanf(&input,"%[^|]|%d|%d|%16s|%ld|%d|%d|%d|%[^|]|%[^|]| %s",&v1,%v2,…,&v11) Input commands are parsed without length checking
  • 34. ASLR Bypass Details 34 • Stack is executable, but its position is randomized • ~512 possible positions • ~350 tries to guess position with 50% prob. • 2 seconds per try • 15 minutes in average for successful payload launch
  • 35. Wi-Fi SSL (ports 443 and 55557) Communications with backend 35
  • 36. Control server communications 36 GET /ws-prod/panda/v1 HTTP/1.1 … Host: homecharger.chargepoint.com … Sec-WebSocket-Protocol: ocpp2.0 Sec-WebSocket-Extensions: Sec-WebSocket-Version: 13 Backend Internet
  • 37. OCPP2.0(ChargePoint edition) 37 • Based on OCPP1.6 • Messages are encapsulated into standard OCPP packets • Uses encrypted connection (TLS) • Device’s TLS certificate is the same, that is used as webserver’s certificate (system.crt)
  • 39. ASLR Bypass Details 39 • ~512 possible positions • ~350 tries to guess position with 50% prob. • Reboot is occurring every 4 process crashes • ~1 minute per try • About 6 hours in average for successful payload launch • A lot of special effects due to reboots
  • 40. Wi-Fi SSL (ports 443 and 55557) Communications with backend Way to the vendor’s network 40
  • 41. sshrevtunnel.sh 41 while true; do ssh -o "StrictHostKeyChecking no" -o "ExitOnForwardFailure yes" $REVSYSTEMPORT -N -T -R $REVPORT:localhost:23 $REVHOST & done $REVPORT is calculated based on chargers S/N $REVHOST is hardcoded for each year of production #!/bin/sh # Bring up pinned up reverse tunnel to mothership.
  • 42. sshrevtunnel.sh 42 • Key-based authentication is used, and the key is stored in NAND in the unencrypted form • Potentially it's possible to rule the mothership and the whole swarm (out of scope) ssh ssh ssh ssh ssh
  • 46. J1772 vehicle interface 46 Vehicle signalize it’s status by closing switches: SW1: vehicle charged SW1&SW2: vehicle ready for charging SW1&SW2&SW3: vehicle ready for charging with ventilation
  • 47. Disclosure timeline & vendor response 47 • 07-08-2018: We send all our findings to the vendor • 21-08-2018: A detailed action plan was developed and discussed to address the vulnerabilities found • 14-09-2018: New firmware with all bugs fixed was released
  • 48. © 2018 ChargePoint, Inc. Information Security at ChargePoint + ChargePoint takes the security of our products and services seriously. We dedicate significant resources to this area including: • Following best practices for secure design and testing of our products • Regular 3rd party penetration testing against our products and systems that store sensitive data + Thank you Kaspersky for helping us enhance the security of our products! • Your patience and persistence were helpful as these were the first externally- detected vulnerabilities reported to us • All the vulnerabilities identified have been patched + If you feel you have discovered a possible privacy or security vulnerability, please contact us at security@chargepoint.com with a description of the issue. 48
  • 49. Summary 49 • Several vulnerabilities in Wi-Fi and Bluetooth stacks were found • Coordinated disclosure: all vulnerabilities were promptly fixed • EV industry opens wide area for research: • Transactions protocols • EV-EVSE communication protocols • …