This document summarizes a presentation about vulnerabilities found in electric vehicle charging stations. The presentation covered: 1) Several vulnerabilities were found in the Bluetooth and Wi-Fi stacks that could allow access to the vendor's internal network, including arbitrary file writes, command injection, and buffer overflows. 2) The vulnerabilities were disclosed responsibly to the vendor, who developed a detailed plan and released updated firmware within a few months to address all issues. 3) Electric vehicles and charging stations are an important area for continued security research given the protocols for wireless communication, transactions, and vehicle-to-charger interfaces.

1. We will charge you. How to [b]reach
vendor’s internal network using
electric vehicle charging station
Dmitry Sklyar
@d_skljar
1

2. Whoami
2
• Application security specialist, Security Assessment
@kl_secservices
• Hardware research
• Reverse engineering
• IoT and ICS protocols

3. 3
Entering the new era

4. 4

5. Charge Point Home
5

6. Marketing style
6

7. Communication scheme
7
Charger – Electric
Vehicle (EV)
interface220V
~
relay

8. Android application
8

9. Communications with app
9
Internet
Inactivated state
Activated state

10. Android application analysis
10
• Uses Bluetooth to communicate
with charger
• “Just works” pairing method
implemented – no PIN code,
passwords, etc.
• HCI logs
• Can be easily collected on
Android
• Can be viewed with Wireshark
• Simple RFCOMM protocol

11. Commands from HCI log
11
1. Get_version – returns charger’s firmware version
2. Configure – sets maximum allowed current
consumption and charger’s power supply type (plug-in
or hardwired)
3. Get_wifi_networks
4. Connect_to_wifi
5. Register_with_nos – commands charger to send the
information about smartphone’s coordinates and mobile
application account id to the backend server
6. Shutdown_Bluetooth – disables the Bluetooth service

12. ResetToFactoryDefaultsActivity
12
private void a() {
this.a = new FlashSequence();
if (PermissionUtil.requestCameraPermission(this, true)) {
return;
}
try {
var1_1 = this.a.a();
...

13. 13

14. Charger
14

15. Open TCP Ports
15
23 BusyBox telnetd
443 SSL with mutual authentication
55557 SSL with mutual authentication

16. HW Revision
16
2 boards with separate CU’s
1. Power board –vehicle
signaling interface control,
current measurement
2. Panda board – wireless
communications (mobile app,
backend)

17. Power board
17
1. MCU, MSP430
TI 6BATG4MSP430 F67691
2. Panda board socket
3. Mechanical relay
TE T92S7D12-12
4. Debug socket
5. LED and photodiode
6. Power plug terminal strip
7. Vehicle outlet terminal
strip

18. Panda board
18
1. MPU, ARM
Atmel AT91SAM9N12
2. Wireless communication
module
ISM43341-L77
3. Debug socket (JTAG)
4. External DDR RAM 1 GB
Micron 6WM17 D9RZT
5. NAND FLASH 512 MB
Micron 4XD12 NW196

19. JTAG tool chest
19

20. Playing with JTAG 1: Reading NAND
20
• Programmed in (every) Atmel MPU
• Contains procedure that reads NAND
pages in fixed buffer in internal
SRAM
• Procedure can be invocated in cycle
with JTAG
BootROM AT91Bootstrap U-Boot Kernel

21. NAND Layout
21
• Parameter section has proprietary format and
is parsed during device’s boot
• Every parameter produces one file in
/var/config directory
AT91-bootstrap
Linux image 1
UBI opt volume
UBI data volume
Linux image 2
UBI otavdata volume
U-boot
Kernel args
SSH key recovery partition
Kernel v.3.10.0
UBI rootfs volume
Parameter section

22. Playing with JTAG 2: Root With Telnet
22
• Procedure that verifies the
input password located in
the Busybox
• We can invert result of the
verification by changing the
outlined instruction with
JTAG

23. Wi-Fi
SSL (ports 443 and 55557)
23

24. SSL services
24
SSL
HTTP
 stunnel
 mutual authentication
 server s private key encrypted
 Thttpd
 No actual web content
 CGI interface
Telnet
 Busybox

25. Certificates
25
system.crtca.crt
• Certificate authority • SSL server certificate
• Stored with private key
• Private key is encrypted, but
everything for the decryption is
available

26. Certificate decryption key
26
• Decryption is done by
stunnel
• Here is the code, that
generates the decryption
key
• We can download the key
from the memory after the
function execution (JTAG)

27. SSL Bypass
27
WEB
system.crt

28. Certificates
28
system.crt
ca.crt
Subject:
C = US, ST = CA, O = "Coulomb Technologies, Inc.", OU = Engineering,
CN = 0024b100000265f1.chargepoint.net,
emailAddress = ca@chargepoint.net
X509v3 Authority Key Serial:
B4:9F:86:A8:76:18:8A:33
Serial Number:
B4:9F:86:A8:76:18:8A:33
Subject:
C = US, ST = CA, O = "Coulomb Technologies, Inc.",
OU = Engineering,
CN = ca.chargepoint.net, emailAddress = ca@chargepoint.net

29. CGI
29
dwnldlogsm
 downloading logs
uploadsm
 uploading
configuration
getsrvr
 misc. commands

30. Command format
30
rbt|6|253|0024B100000265F1|1519308070|0|1|111|rbt
cmd
tag
seq
num
cmd
unique code
charger’s S/N
timestamp
outlet num
cmd specific
parameters
cmd
tag

31. Vulnerabilities 1
31
Arbitrary file write in uploadsm
sprintf(path, "%s%s", "/otavdata/", newFilePath);
fopen (path,”wb”);
No verification against “../ sequence in file path
Substring from the input

32. Vulnerabilities 2
32
OS command injection in uploadsm

33. Vulnerabilities 3
33
Stack buffer overflow in getsrvr and uploadsm
sscanf(&input,"%[^|]|%d|%d|%16s|%ld|%d|%d|%d|%[^|]|%[^|]|
%s",&v1,%v2,…,&v11)
Input commands are parsed without length checking

34. ASLR Bypass Details
34
• Stack is executable, but its position is randomized
• ~512 possible positions
• ~350 tries to guess position with 50% prob.
• 2 seconds per try
• 15 minutes in average for successful payload launch

35. Wi-Fi
SSL (ports 443 and 55557)
Communications with backend
35

36. Control server communications
36
GET /ws-prod/panda/v1 HTTP/1.1
…
Host: homecharger.chargepoint.com
…
Sec-WebSocket-Protocol: ocpp2.0
Sec-WebSocket-Extensions:
Sec-WebSocket-Version: 13
Backend
Internet

37. OCPP2.0(ChargePoint edition)
37
• Based on OCPP1.6
• Messages are encapsulated into standard OCPP packets
• Uses encrypted connection (TLS)
• Device’s TLS certificate is the same, that is used as webserver’s
certificate (system.crt)

38. Stack buffer overflow
38
sscanf(input,"%[^|]|%d|%d|%16s|%ld|%d|%d|%16s|%s",&v1,&v2,&v
3,&v4,&v5,&v6,&v7,&v8,&v9);
Commands have the same format as in the CGI, that leads to
the same vulnerability

39. ASLR Bypass Details
39
• ~512 possible positions
• ~350 tries to guess position with 50% prob.
• Reboot is occurring every 4 process crashes
• ~1 minute per try
• About 6 hours in average for successful payload launch
• A lot of special effects due to reboots

40. Wi-Fi
SSL (ports 443 and 55557)
Communications with backend
Way to the vendor’s network
40

41. sshrevtunnel.sh
41
while true; do
ssh -o "StrictHostKeyChecking no" -o "ExitOnForwardFailure yes"
$REVSYSTEMPORT -N -T -R $REVPORT:localhost:23 $REVHOST &
done
$REVPORT is calculated based on chargers S/N
$REVHOST is hardcoded for each year of production
#!/bin/sh
# Bring up pinned up reverse tunnel to mothership.

42. sshrevtunnel.sh
42
• Key-based authentication is
used, and the key is stored in
NAND in the unencrypted
form
• Potentially it's possible to rule
the mothership and the whole
swarm (out of scope)
ssh
ssh
ssh
ssh
ssh

43. Bluetooth
43

44. Bluetooth stack
44
btclassic onboadee
Bsa_server_921600
Baseband firmware
BT HCI over
UART

45. Vehicle interface
45

46. J1772 vehicle interface
46
Vehicle signalize it’s status
by closing switches:
SW1: vehicle charged
SW1&SW2: vehicle ready
for charging
SW1&SW2&SW3: vehicle
ready for charging with
ventilation

47. Disclosure timeline & vendor response
47
• 07-08-2018: We send all our findings to the vendor
• 21-08-2018: A detailed action plan was developed and discussed to
address the vulnerabilities found
• 14-09-2018: New firmware with all bugs fixed was released

48. © 2018 ChargePoint, Inc.
Information Security at ChargePoint
+ ChargePoint takes the security of our products and services seriously. We
dedicate significant resources to this area including:
• Following best practices for secure design and testing of our products
• Regular 3rd party penetration testing against our products and systems that store
sensitive data
+ Thank you Kaspersky for helping us enhance the security of our products!
• Your patience and persistence were helpful as these were the first externally-
detected vulnerabilities reported to us
• All the vulnerabilities identified have been patched
+ If you feel you have discovered a possible privacy or security vulnerability,
please contact us at security@chargepoint.com with a description of the issue.
48

49. Summary
49
• Several vulnerabilities in Wi-Fi and Bluetooth stacks were found
• Coordinated disclosure: all vulnerabilities were promptly fixed
• EV industry opens wide area for research:
• Transactions protocols
• EV-EVSE communication protocols
• …

50. Questions?
50
@kl_secservices
@d_sklyar