Charge My Car For Free! FOREVER!

uh welcome to my besides the dublin 2022 talk uh charge my car for free forever uh first of all don't do it it's a crime let's get that out of the way uh a short intro for me i'm vaguely stickers i'm greek i work as a senior penetration api tester at pandas partners i have a couple of startups that i'm advising to secure themselves and to build better and more secure apis my research interests are mainly api for iot and web application security for the past year close to a year i have been developing a machine learning tool to spot api flows and low hanging api issues low hanging fruits on api issues you can hear my dodgy accent you might

have heard my dodgy accent on the telly on a couple of programs usually i'm not a bad guy and please follow me on twitter at evistika's twitter handle so our talk today is going to be about electric vehicles there are two distinct categories of electric vehicles one is teslas and the other is everything else if you ever met a tesla owner he would never stop talking about his ev and how he's saving the world but that's a talk for another time the car industry is trying to switch to electric vehicles and chargers the uk government and the eu in general is planning to ban selling petrol and diesel cars by 2030 and currently there are

more or less three and a half million electric vehicles in the world and 28 that's a slightly out of date 28 percent serve in january 2022 of the car sold where ev vehicles and we are moving to the actual uh theme uh subject of the talk which is evie charger it's a booming market it's there's a lot of competition there are smart devices with rush to market the common issues anyone who has worked in a startup knows that there are to market is implementation really badly they are implementing stuff really badly uh it it will keep growing to the millions of devices because the plan says that it's going to be one or two chargers per household right now

from a market analysis there are 18 startups in the field in addition to the big players like pretty much every huge company like abb the vw and anyone else is developing their own charger and notice the smart there's the high opponent's law that says whenever an appliance is described as smart it's vulnerable and we're going to see that it is most of the chargers that we looked at were one way or another vulnerable the ev charger categories are the home chargers that are installed in our home they are connected to the land networks and are usually slower less power usually 7 to 20 kilowatts for for power and the public chargers who are installed on the public roadside they're

really fast and really high power some go up to 400 kilowatts per hour they're interconnected with an protocol named ocpi we're going to see later what that means and the accounts for them can work globally on all the chargers through ocpi random code the ev fleet in 2020 consumed over 80 terabytes per hour of electricity that's one percent of current electricity total and the projection for 2030 is it's going to be 10 fold 860 terabytes per hour which is going to be 10 of the current electricity total we're going to see how this is going to be used on the end of this presentation the cloud-based attacks is what we're going to look in here now

we are not going to have that black magic which is called hardware hacking if you are expecting hardware hacking from me i'm going to disappoint you there's a saying on api security learn that authorization is not equal with authentication or api resources after you so most of the things that we're going to see in here they test that you were authenticated but never test that you were able or you should allow you should be allowed to access that device generic api testing all attack has attacks in the stock as i said are based are remotely we didn't have i didn't have to have any physical access to there from most of the research i was based in

greece the charters were based somewhere in back hampshire i had someone pressed power on and that's all that i needed they were either mobile or web based most of them are really really low hanging fruit you're gonna see on the following slides and you're gonna be surprised on how badly they were implemented the apis all of them are logic flows you should not test for injection on any platform because that's breaking the cma that's a crime and the most unfortunate part is that if something is platform based you're not getting a cv unfortunately you can control million of devices but no cv is going to be assigned to you what we're going to see we're going to

see api's missive authentication api is checking for authentication and other authorization we're going to see an api that let me uh upgrade myself to a super admin and an api that linked everything because i knew a static key which was just the compiled application the fancier stuff is that we're going to see a charger who was using a third-party api that was not only connecting controlling chargers but also bathtubs and a lot of other devices into tenths of millions api research 101 i have to warn you first if i was on piktok i would play the red alert the red crime sound most of those issues you have to be extra careful you should never ever

interact with a device that you don't own if by mistake you end up being an admin and yeah you can be an admin by mistake you have to notify the vendor immediately on the following slides you're going to see some text which is read this means the cma in the uk was broken and we had to alert the vendor immediately and all you know don't do crime please i'm not encouraging anyone to do crime in here let's also set the goals of what we would say was a successful research the bare minimum was control a device started stop it and make it things that you shouldn't do the pii leak is also a bare minimum so

we would want to see who owns a charger and where the charger is the medium level goal is to flash a firmware i'm not going to to build the firmware there are people who help me build the firmware so we you could either break the device or pivot to the network and the home run is getting platform admin on everything unfortunately this was done more than once the first category as we said is the home-based chargers i was planning to do a new charger because that presentation was also done in in besides london but unfortunately i disclosed in early january 2022 they responded in 50 days they asked for more time and as this is a platform

admin if i was disclosing it right now i would be bringing a zero day and giving platform i mean that would be really bad i have two and a half thousand installations they're us-based and probably going to be disclosed i hope in april but i cannot really know when it's going to be disclosed then the other thing is the russia incident first of all i have an alibi i didn't do it it was not a hack i don't know if you see there are evie charging stations that were showing in their screens that putting putin is something i'm not going to say the word it was not a hack it was an ukrainian company that

tricked that did the back end they had full ownage of of the back end so they disabled all the charges in m11 from saint petersburg to moscow and dvd vehicles couldn't charge so they made that travel impossible now on the actual hacks first one is the project tv slash either last sentence and grow watts last a lot of other names i had the 2000 installation last year in the uk the growbot cloud had a lot of devices in their cloud not only chargers photovoltaic also bathtubs iot and cs iot which all of them could be bound it was also approved by the department of transport and the growth and senzan are china-based companies and as anyone

who has done research for iot for chinese iot they were quite slow in responding [Music] they as you can see in here they were fully lacking authentication on any call they just checked on the first call that you knew the username and password and then they didn't even check for decision so you could just say that you are that charger and you could control that charger full stop if they were consecutive numbers so you could do anything for all the chargers you could you could have full functionality intended functionality you could lock and unlock the device you could firmware update it there was no signature check so you could have access to the internal network you could

backdoor it pivot into the internal network obviously you could take all the personal identifier information you could broke the device and you could take platform admin which it's in red so it's a bridge of the cma now the disclosure went as you would expect as a train wreck they didn't respond for weeks they only responded when i had the bbc i had the bbc itself sent the query they eventually fixed it after a failed first attempt which they didn't fix anything they just said that they fixed and we tested they their fix is a really strange fix they have a stateless login which means they check the login and then they don't check decision or anything so they

somehow keep decision in your ip on the server i didn't truly test it because i didn't want to find anything else i would grade them really really bad the second charger is evbox it's one of the biggest companies they have close to 200 000 charging points throughout the world they're based in amsterdam they are department of transport approved and they were acquired by nce from an undisclosed number of money their api was surprisingly good but they had no obvious reasons but i'm going to challenge you can you see the issue in here because my machine learning actually found it when you are putting something you are also putting the roles and then it says account admin and account owner so if

you change the account document to admin antenna admin you can see on the right side that you had the full platform admin for yourself so you had total compromisation of everything that's with red you could also control the server you could control everything so you were actually the tenant admin there obviously pii lik uh you had all the admin functionality in the world so you could delete you could stop you could create new charges you could do everything the platform admin is of cma so they responded in two hours which is a really refreshing they fixed everything in 24 hours they double checked the in 48 hours that everything was fixed this was an excellent response

i can say that the api's api falls happen i would give them the gold medal because they were really good in everything and they missed something yeah we took platform admin but things happen as we saw in the keynote it's how you handle them that makes you a good company or a bad cyber security wise company third one is wallbox they have around 100 000 users they are based in barcelona they are raising for 300 million usd and after they are merged with an acquisition corp that i don't know and they had a second level either as you might seen here you could add when you were adding a user to your charger you were passing

the id the first and the second is not ids that i should own so i could make me an admin on every charger there were four different instances of this in the api we could have a total control over all charges we could lock and unlock there was no way to firmware update with our own firmware there was a pii leakage and we didn't take any platform admin so we did the minimum of every one of all the others they responded the next day they fixed it in a couple of days unfortunately when we were engaged because we were doing a new check we found something else quite similar so they didn't fix the root cause they fixed just the instance

that was found they wanted to engage so that we could provide them with services but they wanted me to to sign an mba i'm not doing that so all in all not great not terrible they tried but okay fourth one is the eo charger or eohab it was the first charger that was installed in the uk they are based in london their department of plasma of transport approved as you can see the department of transport randomly approved pretty much anyone it had a lot of teething problems they have 15 000 users on my estimation now it was just a raspberry pi you could just take the sd card and take everything there's no bootloader security

i had the recovery we could recover the full source code which is two python scripts hard-coded credentials everywhere full documentation so that you didn't even have to understand what it's doing they had everything in there and you could do anything you could decrypt everything you could make a botnet uh total control over the devices you could mimic the server the communication i think they have ticked all the boxes so they responded in timely fashion they worked hard into reworking everything they changed from python to go i think or i don't remember the word but their new and improved eomini is again a raspberry pi by with just an sd card so they thrive i i can tell that they tried but

at least they failed again uh for raspberry p in iot it's a valid prototyping device not a good idea to put it on production you can easily extract everything it's easily rootable and there is no secure bootloader you can see the three boxes that were raspberry based you have in your mini wall box and hypervolt all of them could be rooted and some findings were as you saw in there the public chargers we only have one i only have one in there it's charge point it's one of the three biggest charger networks in the world they have around 120 000 points which means close to half a million chargers um they went public in 2021 they're a

huge company and as you can see they had the publicly exposed unauthenticated graphql endpoint that could get everything from every charger and control it potentially leaking their full schema no authentication so you could get a lot of things now again don't do crime if i pulled the schema which as you can see in the next slide they said that they would be okay i would have gotten about 20 gigabytes of data with everything and i would have done one of the a really big crime never ever interact with the device you don't own if you mistakenly do it notify the vendor immediately and try not to commit crimes so chargepoint they responded in an hour

they fixed it on the same day they had an excellent response they acknowledged that there was an issue in there and they said that yeah even if you pulled it you would be happy not to answer not to go after you but this is not something that you should assume that is going to happen for all every company so i also get the gold medal now the potential issues on the public charger is on the ocpi the open charge point protocol is an application protocol for communicating it's like roaming they are also naming roaming so you create an account in chargepoint and you can also do it on chargeboard or another company that are all cpi connected this is in the uk and

the us the connection between providers and manufacturer means that if you find a vulnerability in one [Music] vendor you you have found a vulnerability everywhere you could obviously pii lick everything and much like the mobile network it's called roaming the issue of throw cpi is you could steal energy and have someone else pay for it because obviously you could lick the pii you could deny service to legitimate users because you could close the charger while they're charging but it gets way way worse now the even worse potential issues are based on a really good job that i'm trying to pronounce his name william westerhoff did at his master thesis there is an attack based on photovoltaic

vulnerabilities that can potentially destabilize the power grid by manipulating photovoltaic installations we are going to take a slightly different approach in here so instead of doing the the power grids are interconnected in europe i don't know how familiar with you are with that but when greece has a huge energy demand the import power from bulgaria when bulgaria has uh demands the import from greece so they're interconnected and if you could for a reason we're going to see later demand a lot of power you could bring down a lot of places potentially a full country so on the whole scenario you should go there to the link and read it it has a lot of math that i cannot really

understand i'm not a math guy instead of limiting the pv power but yeah let's keep that with a star because on another talk we're going to talk about the pv power and a lot of photovoltaic issues that are going to be announced later instead of doing that let's maximize the need for power keep the mind of 80 terawatts per hour and 800 terabytes per hour think that 80 80 100 watts per hour is how much belgium is consuming right now so if you turned on off and done again you would have a huge spike on the demand of power like as i said the the belgium having a new belgium evolve from anywhere else and bring down

the whole power grid this is the home chargers are usually used during the night and for this to work you you have to have a car uh on the charger so you cannot tell the charger now you need the power you have to have something connected with so that it will request the power i think that's all any questions so thanks very much for a great talk on the api um the how how is it possible for you to find the public api endpoints um uh of uh offenders you mean the charge point the the the the actual the actual api that they connected to you you're talking about the charge point issue or for the home charges

because all the home chargers we i used the mobile applications for the charge point the mobile application was sending some log to that graphql and then when i went and browsed the graphql i showed that every charge has a mobile app associated and you have to download the i've used the app and that's yes okay and that's how you export everything thank you thanks very much for the talk i wanted to ask what's the best way for individuals at home with their own charging stations to protect themselves cost-effective uh well first of all you should isolate any iot that you have and not connected to your public to your actual network you should segment your network so that it cannot

pivot as you saw make having updating your firmware wouldn't touch this kind of vulnerabilities try to use devices that are from companies that seem to know how security works so no no name chinese iot and i don't know if prey works for you pray that nobody sees you but it's it's one of those things that will happen eventually unfortunately i think any other questions thank you [Applause] you