Charge My Car for Free Forever: EV Charger API Security

[Music]

can you hear me

now let me put it behind if you can put it in like somewhere hello everyone uh i'm the first one that is going to speak in english sorry for not being not being fluent in bulgarian although i did my masters in here the only bulgarian that i know is dubra and uh sorry about that so my talk is charge my car for free forever uh who am i i'm uh i was senior penetration desert pentax partners a deal yesterday today i'm starting my new role as a cto on a startup that i'm helping secure which is called remo i'm mostly interested in researching api and iot api devices and web application security and i'm finishing my phd developing a

machine learning algorithm that will find low hanging fruits and apis you can also find me and please follow me on twitter and if stickers so today's talk is going to be about ev chargers and electric vehicles in general the electric vehicles can be split into two categories the one category is tesla and the other category is pretty much everything else if you are an elon musk fanboy this is not going to be about tesla so you can live right now the car industry is focused on electric vehicles uh bulgarian government i also know that is following the eu charges and they are trying to stop selling petrol and diesel vehicles until 2030 there are right now more than three and

a half million electric vehicles in the world and it's projected to be more than five million electric vehicles in the world by end of next year the av chargers is a booming market it has a lot of competition it has smart devices and whenever you see smart it means something else you're going to see it on the next slide it will keep growing to the millions the plan is to have one charger for each household which means a lot of smart devices and there are 23 startups in the field in addition to the big players which is abb teslin everyone else also hippo and slow whenever an appliance is described as being smart it means vulnerable and it means you will

be able to hack it the ev charges categories are the home chargers which is on home installation every appliance has access to the land networks it's usually lower about 20 kilowatts per hour than public charges which is the other category it's the category it's the charges that you are going to see at the public roadside uh they're fast chargers that are up to half a megawatt they have ocpi in their connection which is going we are going to see what the cpi means and the accounts can work globally [Applause] quote that the global levy fleet in 2020 is going to it is consuming as much as belgium belgium and in 2030 it's going to consume pretty much as much as europe

consumes electricity wise all the attacks that we are going to see in here are cloud-based attacks we there's no hardware hacking there's no mumbo jumbo there's no buffer overflows so if if that floats your boat unfortunately i'm not your man so what we are doing in cloud api what we are doing in api hacking it's a set of low hanging fruits when you're building apis you have to at least fix the low hanging fruits and then the medium hiking fruits as we're going to see later down the road you're going to see that most of most of the issues are rush to market issues and you have to know that authorization is not authentication and

if you don't know it someone is going to hack you all attack like the stock are cloud-based as i said there's no fiscal access required most of the hiking was done from my house in greece and the charges were based either in the uk or the in the us most of them are really low hanging fruits it's a good direct object reference or standard authorization by buses or even no authentication at all because who needs authentication and all the issues found are logic flows there's no injection no sql injection no xss as this kind of testing on without authorization as we saw in the previous talk could be breaking the cma cma means computer misuse act and you

would be committing a crime also whoever wants to start cloud api testing you are not going to get any cve at all unfortunately uh i can tell you a lot of stories we have ended up owning 505 million routers and we didn't get a cv because we did it over a cloud what we're going to see in this talk api's missing authentication which is ridiculous api is checking for authentication and not authorization apis allowing you to upgrade yourself to admin while you are a user and api that leak everything because you know just a static key this is a third-party backend cloud as we're going to see we ended up owning a cloud infrastructure that was not only

handling ev chargers but it was also handling a million other devices this is the case for many chinese branded clouds as i told you cmi and crime alert api research is really really tricky try as hard as you can to never ever interact with a device you don't own if you mistakenly do it notify the vendor immediately if you're taking the platform admin you are breaking the cma you have to be 100 sure that you know what you you're doing or you will end up in a really difficult situation sorry so what are the goals for this talk when we are attacking a charger we the bare minimum is to control other devices that you're you don't own so start stop

the pii link pi stands for personal identifier information we have to know other users email name and location medium level means that uh flash you can flash the firmware so you can break the device or pivot to the network and the total home run is platform admin so you have access to everything i was going to start with the home chargers unfortunately on besides doubling and besides sofia i wanted to present a new charger cloud that i also owned but it's still not fixed and if i was going to present it i would be dropping a zero day which is bad and the crime i was told so yeah unfortunately we're going to name it chargerx

it was disclosed four months ago it's still vulnerable it has two and a half thousand installation we have platform running there we can access everything we can delete everything but it's going to be still chargerx let's get a couple of things also out of the way the first one is russia incident i don't know if you saw the the news uh the ukrainian uh the vendor has disabled all the ev charging stations that was owned this was not a hack this was a vendor changing their own devices it disabled all chargers in an m11 highway which sent peter's book to moscow rendering every chart every travel impossible the second thing i have an alibi for both of them first

of all is the electric car charging that was found on the isle of wight it was a hack it was pretty similar to the idols that i was going to present there all the chargers were showing porn and poor messages there is an active investigation on that and from what i know they're going to find whoever did it this is the first charger that we're going to present it's called project tv or 80s or senzen grovat it was one of the worst it had the department of uh transport approval department transport approves what you can install on your home in the uk gravatt growat cloud had a huge number of devices like over three millions that

were not only limited to the charger there were also photovoltaic there were also kettles there were a lot of things that were controlled by that uh cloud growth and then are both china-based companies as you're going to see you can see in here that there was not indication or authorization or authorization on any call it was just the first login and then it was just you were passing the charge id you could change the charger id that were consecutive numbers so you can easily brute force everything what we got was full functionality on all devices lock and lock we could remote firmware update there was no signature check so we could pivot into the internal network we could

pivot into internal networks of companies that had data installed obviously there was a pii lake there was you could break and never start it again and we also got platform admin also what whatever is in red in there is a crime it's a break of the cma you should never do it [Applause] so uh how did this disclosure go they did not respond for weeks they only responded when they asked they were asked by the bbc they eventually fixed it after first saying they fixed it but it was not fixed and they fixed it with a state sls login so they have no cookie no authorization authentication at all you just send the authentication and then somehow it works

i didn't want to look at at all afterwards because frankly it was a really really bad platform i'm giving them a fail f minus really bad second one is the biggest of the home chargers it's called evbox it has a global install uh base of over 200 000 charging points they're based in amsterdam they're obviously department of trust mod approved and they're acquired by nz for 300 million pounds i had a really good api everything checked there was no obvious issues so i was really desperate can anyone find what the issue is as you can see when you're editing your profile you're also passing the roles so if you go to the roles and say

i don't know i'm an admin or i'm a tenant that means we end up having a full platform admin with access to everything all the users all the pii so you had total compromise of everything there was pii leakage you had all admin functionality you could log in to servers it was a really really bad situation from a really minor thing we got platform admin [Applause] uh they were really really good they responded in two hours they fixed in 24 hours they double checked that everything was fixed they had an excellent response i'm giving they were a really probably the best disclosure that i ever made that i did a lot of disclosures in the past couple of

years third one is the wall box it has around 100 000 users they are based in barcelona they merged with a capital acquisition corp and they they raised 300 million uh dollars they had a lot of second actually they had six different instances of uh second level either which means that you could just pass charger ids which is consecutive numbers and you will end up with total control over all charges you could lock and lock there was no way to firmware update unfortunately so there's no platform admin and there's no pii liquids they responded really the next day they fixed it in a couple of days and after i reject and re-engage after a month because i found the second issue

which was the same as the first one which seems to really bad for them because they didn't actually fix the underlying cost but they fixed just the costs that were just the issue that was reported they fixed it on a couple of days again they wanted to engage so that i could check them the company that i worked for could check them but they also wanted an nda so yeah i'm not going to sign an mba because i don't like being forced to to sign nda so not great not terrible that they did what they could the eo charger is probably the first one that we took a look at it's right now and 20 000

users estimated they're based in london they had typical rust to market issues i had the raspberry pi as the base which can be easily rooted there is no bootloader security the recovery of full source code and by full source code i mean two python scripts that had hard-coded credentials full documentation because i didn't want to understand python i just read the comments and it was there as you can see you can see that they have everything they have a static key in there and i ended up we could fully decrypt everything you can take control of everything you could mimic the server and make a botnet because why not you could you didn't need to reflash

because you couldn't say that from now on i'm the server you're going to do what i say so they pii leak they credentially leaked we got the platform admin we got a lot of different stuff they responded in a timely fashion they worked it hard into moving away from the raspberry p model and moving to somewhere else but their new and improved iom eo mini uses a raspberry p again because why not you know i'm going to say that i'm not a hardware expert so this is from people who know what raspberry how easy raspberry p is to be hacked there is a valid prototype it is a valid prototype device it's not a good idea to put the raspberry pi in

production it allows an easy extraction of full stored data because it has an sd card obviously it's easily rootable and there is no way to have a secure bootloader i know that raspberry p is trying to solve that but until now there is no easy way of having a secure bootloader moving by moving next to the public chargers we're going to have charge point charge bond is one of the biggest after tesla and abb public tax providers in the world it has 114 number of spots which is close to half a million charges because as you can see each spot has three to six chargers and it has its head a publicly explode exposed and authenticated graphql

endpoint with introspection enabled it was potentially leaking their full schema he wanted no authentication at all but as i said before you cannot try and access things that you don't don't because you are committing a crime uh the api the research is really tricky because you know it is there you can access it but the moment that you're accessing something if you don't don't you're committing a crime so don't do that the bad thing is that charge point responded in an hour they fixed it on the same day they had an excellent response they acknowledged that there was an issue in there and they said that okay you could have access it and i wouldn't we wouldn't press charges to

you so i'm giving them the first i'm giving them the gold medal but unfortunately i didn't have all the data so this is they acknowledged it but i didn't actually hack it now moving next to potential issues and how these things can be weaponized there is the ocpi which is the open charge point protocol which is an application protocol that all public chargers can connect to each other and use their own accounts to other protocols they have a protocol which is called roaming there's connection between providers and manufacturers which means that if you find a vulnerability in one platform it will lead to everyone being vulnerable much like the mobile network it's called roaming so let's say if you find

something in search point you will be able to hack every other platform that is connected with ocpi what you could do is steal energy have someone else pay for it you could obviously pii leak you could deny service legitimate users because you could stop make them stop charging and it gets way worse so even worse potential issues is uh this is a really nice page that's a whole scenario it was presented by willem westerhoff i hope i pronounced it correctly it was an attack based on photovoltaic vulnerabilities that can potentially destabilize the power grid and we're going to take it uh from another point of view and you know the thing with pyruvates in europe is

that when we in greece or you in bulgaria need more power we're going to get you're going to get from grace we're going to get from bulgaria or macedonia or you know they are interconnected nations are constantly exporting and importing power so that they help each other during crisis times so for the william scenario the whole scenario instead of limiting the pv power or limited we're gonna see at another talk you're gonna see on defcon this year we're gonna maximize the need for power so everyone making a cup of tea at halftime during the world cup match is something that the power grid operators are prepared for but they're not prepared for the chargers to be on

off and on again it will uh gain a lot of power and it could potentially block out uh power grids and if you also put a keep in mind that you can with the pii leak know where its charger is located for this to work unfortunately you need to be connected to the chargers you cannot you have to have a car connected to the charger you cannot say the charger take as much power as you need so this kind of attack would need to take place in the evening any questions thanks for listening [Applause] [Music] no questions excellent oh

is there a database or some list of providers where we can check whether they have uh

this is a broader iot devices question what i usually say is you have to to consider when you buy an iot device to buy something from a well reputable company vulnerabilities are going to happen the thing is you want a company that will stand by the vulnerability fix it as soon as possible acknowledge it and push an update to you so yes there is the cv database that you can see who has what there is also the iot database that you can see their their fcc and what they're composed from but usually i'm just saying if you know the company go with it don't go with a random chinese company

[Applause] if you own the device you can do it whatever you want so if no i i have bought the company that i work for bought each of the device so we could prove that we could break it without breaking the law if you and the device and i break it i obviously break the law but if i own the device then i'm not breaking the law if if i take platform admin so i have access to pii and interact with a device that you own then i break the law unfortunately the cma i'm talking about the uk law and here but i don't know about bulgaria i don't know and the greek law says that if you

access something that you don't own you break the law it's a little bit not a little bit a lot outdated and we and a lot of lobbying is happening so that we can change that but until then unfortunately it is what it is and i cannot tell you to commit a crime i'm telling you not to commit a crime any other for the questions admin platform especially for the home chargers can you a little bit what the manufacturer vendor purpose having concentrated in database with all phone chargers connected this is again let's look at the iot level i'm going to look at the iot level if you remember 10 years ago when we were installing our

own iot cameras we were saying now we need to port forward our routers to do something which you and me we could do it but my mother no my mother could do it my father who is that literate couldn't do it so they say you don't need any more we are going to punch through your router and just by using our apis and our application our mobile application you will be able to control your uh your device that's the case from the chargers they install it and they just want to have an easy way in and an easy way out which is also an easy way and an easy way out for anyone who is

i don't know a hacker [Applause] did that answer okay anyone else thank you [Applause]

you