Reverse Engineering an EV Charger

&gt; All in all, we didn’t find any critical security issues during our investigation.<p>&gt; [...] we did find what appears to be Zaptec’s means of remotely debugging their devices. The first is a function called RunRemoteCommand. This passes the contents of a message received from the cloud directly to Process.Start. [...] A second interesting function called StartRemoteTunnel appears to allow Zaptec to create a reverse shell back to an SSH listener on the internet. [...]<p>I don&#x27;t know if things have changed, but back in the day this sort of thing would be called a &quot;backdoor&quot;. Yeah, only the manufacturer can use it, for now, but that lasts only until the manufacturer gets compromised, and either the relevant keys get leaked, or the manufacturer systems themselves get used as a jumping point.

Every time I see a &#x27;charger&#x27; like this I&#x27;m disappointed.<p>This isn&#x27;t a charger. It is a fancy electrical junction box. The voltage into the box and the voltage out is the same. The only function of the box is to switch the power on and off. And the car <i>already</i> has a switch in to switch stuff on and off anyway. So this box of expensive electronics is entirely redundant.<p>And they don&#x27;t even provide much power - typically 32 Amps at 230 volts. Ie. about the same as a caravan hookup. But a caravan hookup doesn&#x27;t need to run Linux...

&quot;All in all, we didn’t find any critical security issues during our investigation. Though there is probably room for improvement in a few areas. For example, we would have had a much harder time getting root access&quot;<p>This always gets me: &quot;secure&quot; meaning &quot;the manufacturer remains the owner even after selling the device&quot;.<p>What does getting root access have to do with security? Does the threat model include the buyer of the device? If the box is physically opened by a random person, the damage has already been done - they can mess with the electrical installation already. What&#x27;s the benefit of hiding the software in that situation?<p>Exercise your rights as the owner and ask for the sources instead. Linux is covered by the GPL.

I&#x27;d really like to learn more about analyzing images dumped from nonvolatile memory, something which this write-up glosses over. Any resources folks would recommend?

Not having the bootloader signed is a feature: If the company go bust, the customers can change the firmware and still use their chargers.<p>Having it signed would provide no value for residential customers, where the chargers ostensibly would be physically secured, and should in that case actually be considered an anti-feature.<p>It seems to me they just included that &quot;recommendation&quot; because they couldn&#x27;t find anything else to write.

I&#x27;d be quite interested in the billing part.<p>Such a charger needs to be presented some kind of authorization, but the amount of energy transferred (and thus the amount charged) is only determined later.<p>Is the logic for that server-side, or is it triggered from within the charger? If the latter, could you avoid being charged by power-cycling the computer inside the charger before finishing the charge?<p>Probably the safer option would be for the charger to send a message like &quot;for authorization XYZ, I&#x27;ve, until now, supplied 5.003kWh&quot; every 5 seconds, then a server-side stream processor can detect the end of the charge and initiate billing.

This is some serious reverse-engineering. Nice work!

Chargers use an open protocol called OCPP. There are several versions, and the older ones use XML and I would guess are likely targets for various attacks. The later ones with JSON are probably also vulnerable but with a smaller number of attacks.<p>There are many different implementations, and different charging vendors tend to have varying degrees of functionality, so I would expect a pretty wide assortment of vulnerable chargers (and backend servers). A lot of them also seem to only communicate via static IPs.

It&#x27;s a high-voltage connector, the battery charger resides in the car.

Interesting that they didn&#x27;t try to brute force the shadow file.