Talk Title:
Hacking EV charging stations via the charging cable
Abstract:
When connecting your EV to a DC fast charging station, the car will communicate with the charging station using a network connection. This connection is made over the powerline of the charging cable using the HomePlug protocol. Typically, the modem responsible for this communication is accessible in Linux as a regular network interface. Because of this, misconfiguration of services on the charging station controller might cause these services to be exposed on the charging cable.
At ElaadNL, we have developed a test box that we can use to investigate the charging cable interface of charging stations. A charging station can be connected to this test box, which will then simulate an EV to set up a connection to the charging station. After this, we can use tools such as Nmap to scan the charging station for exposed services. Using this test box, we have scanned 15 different models of charging stations from 11 different manufacturers.
We conclude that exposure of excess services on the charging cable is a common occurrence, with almost 50% of charging stations exposing an SSH port. Furthermore, we show that we have discovered a charging station that exposes an unprotected MQTT service on the charging cable, and another charging station that exposes an HTTP web configuration interface. After authentication, we were able to gain remote code execution on the charging station via this web configuration interface. Thus, we prove that using this attack vector, especially combined with other vulnerabilities in a charging station, an attacker can hack charging stations while only requiring physical access to the charging station itself, and can then influence the availability of these charging stations, affecting mobility and power grid stability. It also shows the potential possibility of a malware-infected car hacking charging stations as it charges at them.
Speaker Bio:
Wilco van Beijnum is researching cyber security in the EV charging infrastructure domain at ElaadNL
