As more and more electric vehicles penetrate the market, there’s going to have to be a proportional rise in the number of charging stations that are built into parking garages, apartment complexes, and even private homes. And the more that happens, the more chargers we’re going to start seeing where security is at best an afterthought in their design.
But as this EV charger teardown and reverse engineering shows, it doesn’t necessarily have to be that way. The charger is a Zaptec Pro station that can do up to 22 kW, and the analysis was done by [Harrison Sand] and [Andreas Claesson]. These are just the kinds of chargers that will likely be widely installed over the next decade, and there’s surprisingly little to them. [Harrison] and [Andreas] found a pair of PCBs, one for the power electronics and one for the control circuits. The latter supports a number of connectivity options, like 4G, WiFi, and Bluetooth, plus some RFID and powerline communications. There are two microcontrollers, a PIC and an ARM Cortex-A7.
Despite the ARM chip, the board seemed to lack an obvious JTAG port, and while some unpopulated pads did end up having a UART line, there was no shell access possible. An on-board micro SD card slot seemed an obvious target for attack, and some of the Linux images they tried yielded at least a partial boot-up, but without knowing the specific hardware configuration on the board, that’s just shooting in the dark. That’s when the NAND flash chip was popped off the board to dump the firmware, which allowed them to extract the devicetree and build a custom bootloader to finally own root.
The article has a lot of fascinating details on the exploit and what they discovered after getting in, like the fact that even if you had the factory-set Bluetooth PIN, you wouldn’t be able to get free charging. So overall, a pretty good security setup, even if they were able to get in by dumping the firmware. This all reminds us a little of the smart meter reverse engineering our friend [Hash] has been doing, in terms of both methodology and results.
Thanks to [Thinkerer] for the tip.
Interesting, nice to see an internet connected device where security was actually at least considered in how it operates…
Dumping the firmware leading to getting in to me is a good thing, as the whole thing is less likely to turn to e-waste if you can repurpose it and it doesn’t seem like a security problem at all – at least as long as everything else is done right, which it seems like it is doing so won’t help attacking one of these in the wild.
Still remains to be seen if there is a glaring security flaw they just didn’t find, or a flaw in the external services the device connects to. But how refreshing it is to see something like this that isn’t clearly the old ‘The S in IOT stands for security’ style execution that far to many things are these days.
‘The S in IOT stands for security’. I admit that took me a second, lol.
They got in, but only via physical access to the board, and at that point, you could simply replace the whole board. They didn’t find a way to compromise other chargers without this physical access, so it appears the designers did at least an above-average job of securing it.
I’m a little disappointed they didn’t look into ways to influence the current measurement circuit; not a word about the type of measurement used (shunt resistor, Hall effect, current transformers, Rogowski coils, etc.), and we can’t see it in the photos either.
Maybe an external magnetic field, or modulation of the current drawn could cause a significant deviation in the measurement.
I could be wrong (not an electrical engineer), but that seems like the kind of thing that could at least partially be mitigated with some shielding (assuming there isn’t already some in place).
All in all, it sounds like they did a pretty decent job, which is nice to hear.
A more important security concept with chargers is safety. I’ve seen a teardown of a charger where each screw terminal had a temperature sensor built in, and would cut power if any of the wire junctions in the terminals started to overheat. I really liked that design, but I don’t know if that’s normal; proprietary to only that one particular charger; or an industry standard.
To me “not starting a fire in the building where I live” is a lot more important than someone stealing a few kWh.
I wonder if you could put a powerful enough magnet over those relays to get them to actuate. This would bypass the whole authentication system and just turn on the juice… at least in theory. It would also likely take a VERY powerful magnet to do this.
You think 125 lbs pull would be enough? https://unitednuclear.com/index.php?main_page=product_info&cPath=70_79&products_id=276
“The .NET code only seems to implement the Reboot and UpdateFirmware commands. The StartCharging and StopChargingFinal commands look to be functions that were partially implemented in the Android application, but never implemented on the charger. No free charging via Bluetooth.”
And UpdateFirmware doesn’t warrant any investigation? I guess it’s gated behind the PIN, but still.
Likewise, especially since this seems to be fairly congratulatory to Zaptec, I’d expect to see at least a mention of what is exposed on the power-line (PLC) interface, and if it differs from the wifi interface.
Maybe I’m just grouchy :’D
“.NET” and “Security” in the same context ?
Please add a tag “EVSE”, as this is the abbreviation mostly used for this kind of equipment.
see: https://en.wikipedia.org/wiki/EVSE
Look at that logo!
If I was a lawyer for Zaptec I’d be sending Putin a cease and desist!