Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE
UtiliNet EuropeCyber Security WorkshopBrussels, Belgium
17th May 2018Dr. Christian HilleDr. Manuel AllhoffP3 group
P3 GROUP PROFILE
With more than 3,800 engineers & consultants, we support customers all over the world
▪ P3 was founded in 1996 as a spin-off of the Fraunhofer Institute for Production
Technology (OPT) at the RWTH Aachen.
▪ P3 is a privately owned company with more than 3,800 consultants and experts in about
36 locations. 180 of them are working in the field of eclectic mobility and further 70
employees in the flied of security.
▪ The majority of employees have a technical or scientific background.
▪ In 2017 the annual turnover of P3 was more than 360 million euros.
▪ The operational activity is done by sector specific subsidiaries.
OVERVIEW >3,800 ENGINEERS AND CONSULTANTS ACROSS THE GLOBE
BUSINESS AREAS
15th March 2018
AUTOMOTIVE AVIATIONCOMMUNICATIONENERGY
Hacking Charging Stations – Dr. C. Hille (P3)
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
The market launch of electric mobility and the development of charging infrastructure come along with critical risks
MOTIVATION
Charging infrastructure is important
Charging infrastructure is vulnerable
5,800 7,400
150 290
7,000
36.000
9.000
27.000
18.000
0
36.000
2016 2020 (forecast)2015
Therefrom: fast charging pointsPublic charging points
▪ In general charging points are unmanned and partially located in remote areas
▪ Often physical protection can´t be guaranteed
▪ Connection to backend in which sensible customer data is saved and processed
▪ More and more frequently charging points are used with the help of intelligent charging concepts
▪ Charging station infrastructure (CIS) is open for to potential attacks
Charging infrastructure is critical▪ Thresholds for critical infrastructure e.g. in Germany is:
▪ Threshold value for critical infrastructure: 500,000 persons
▪ Threshold value of energy supply: 420 MW
▪ In the future, 420 fast charging parks with 1 MW each (e.g. bundled in one system) can be assessed as critical infrastructure
▪ Attacks of charging infrastructure has a direct impact on energy supply and traffic infrastructure
Am
ou
nt
of
char
gin
g p
oin
ts [
#]
Implications
In the future the meaning and amount of public charging points will strongly increase
Capacity/energy demand in charging infrastructure
Share of E-Mobility of the total mobility
Frequency
2 31
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
SECURITY OF CHARGING INFRASTRUCTURE
Approach for a security analysis of charging infrastructure
1. Preparation / Reconnaissance
2. Information procurement(especially via further interfaces, e.g. USB, RFID, …)
3. Valuation of information
4. Execution of attacks
5. Analysis and report
IDENTIFICATION OF POTENTIAL ATTACK VECTORS
1. Authentication e.g.: lists of passwords
2. Authorization e.g.: Privilege escalation
3. Session testing e.g.: Session stealing
4. Input validation e.g.: SQL Injection
5. Encryption validation 6. Client side testing
e.g.: Cross Site Scripting, Java Script Execution, etc.
APPROACH FOR THE SECURITY ANALYSIS
IMPLEMENTATION OF A SECRURITY ANALYSIS FOR HTTP-SERVICES (EXAMPLE)
Risk LevelNo impact Minor Major Very Severe
Like
liho
od
High 0 5 3 1
Medium 1 7 2 0
Low 2 2 4 4
Very Low 4 6 3 8
* OC
C-P
roto
koll-Tests sin
deb
enfalls
mö
glich
1. Physical aspects regarding the charging station▪ Hardware, e.g.:
Breaking of the case2. Information technology aspects (TCP/IP)
regarding the charging station ▪ HTTP▪ Source Shell (SSH)▪ Other services incl. mobile network
3. Information technology aspects (TCP/IP) regarding the backend system▪ HTTP▪ Other services
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
Identification of potential attack vectors
SECURITY OF CHARGING INFRASTRUCTURE
OEM (Hard-/Software)
Mobility ProviderUserElectric Vehicle (EV)
Charging Station ChargepointOperator
(CPO)
Distribution System Operator (DSO)
Other Customers
Contract Data
LEGEND
Attack-Vector
Data exchange
Temporary Data exchange
Electricity
Metering
Hacking Charging Stations – Dr. C. Hille (P3)
Setting of the Test-Environment
TEST-ENVIRONMENT
15th March 2018
Communication and Authentication ModuleNetwork 1: mobile network
Network 2: 10.0.0.23
Network 1
Network 1
Network 210.0.0.0
TestclientNetwork 1: P3 WLAN network
Network 2: 10.0.0.100
Backend
Internet
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
Attack vector: paths to breach the charging infrastructure
ATTACK VECTORS
Attack Vector
Electric Vehicle Charging Station BackendAttack Vector
Internet
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
Attack vector: paths to breach the charging infrastructure
ATTACK VECTORS
Attack Vector
Electric Vehicle Charging Station BackendAttack Vector
Internet
discussed today
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
Attack vector: paths to breach the charging infrastructure
ATTACK VECTORS
Attack Vector
Electric Vehicle Charging Station BackendAttack Vector
Internet
discussed today
Reconnaissance reveals services that can be attacked
Available Services
RESULTS
▪ SSH (open 22/tcp)
▪ HTTP (open 80/tcp)
▪ HTTPS (open 443/tcp)
▪ SOAP (open 9080/tcp)
▪ Determining operating system: LINUX 2.6.32 or 3.10
▪ Same services are available for the mobile network interface
▪ Hence, services can be attacked even without physical access via the mobile network interface
Hacking Charging Stations – Dr. C. Hille (P3)15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Example: SSH uses a weak key-exchange algorithm and is vulnerable to brute force
SSH Access
RESULTS (PORT 22 - SSH)
▪ SSH service used for maintenance (e.g. updates)
▪ Use of weak key-exchange algorithm, that is, Diffie-Hellman-Group1-SHA1
▪ Diffie-Hellman algorithm gives (theoretical) possibility to derive key for encryption from data traffic
▪ Brute force attack (systematically evaluation of all possible credentials, via tools Hydra and Medusa)
▪ No protection against brute force which is efficient to perform
15th March 2018
▪ With known password schema:
10000 possible combinations
▪ Brute force can be performed in parallel (e.g. 12 processes):
approx. 8 minutes for 10000 user, password combinations
Hacking Charging Stations – Dr. C. Hille (P3)
Example: Encryption with self signed certificate and processing of login data
Web Service
RESULTS (PORT 80/443 - WEB SERVICE)
▪ Web Service used for setting up Charging Station
▪ Port 80 gets redirects to Port 443 (self signed certificate via SHA-1)
▪ Login process of the web site via a non encrypted channel
▪ Password gets locally hashed via MD5 (unsecure hashing algorithm)
▪ A hashed password is only another representation for the password
▪ Reconstruction of password with Man-in-the-Middle (MitM) is possible
▪ Better: secure communication of the password which is hashed on the server (not on client)
▪ user credentials processes by Javascript, which leads to file /opt/TM/etc/lighttpd/ssl/webconftool/.passwd, which contains credentials for web site log in
15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Example: Login without knowledge of the user credential is possible
Web Service Login Procedure
RESULTS (PORT 80/443 - WEB SERVICE)
▪ “Session Storage” cookie, indicating that user is logged in, is added locally by the browser
▪ Cookie is a text file locally saved on the computer (text is always changeable)
▪ “Local” implies that users can modify the entry
▪ Login procedure only evaluates whether entry is available, not if it is valid
▪ Therefore, successful login possible as follows:
1. Attacker generates “Session Storage” cookie
2. Attacker adds entry with key “username” without value
3. Attacks calls “success” function via the web browser (no real check)
▪ All users have same rights in the system
15th March 2018
15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)
Attack vector: paths to breach the charging infrastructure
ATTACK VECTORS
Attack Vector
Electric Vehicle Charging Station BackendAttack Vector
Internet
discussed today
Hacking Charging Stations – Dr. C. Hille (P3)
Reconnaissance reveals services that can be attacked
Available Services
RESULTS
▪ Determining the operating system was not possible most likely due to the used firewall. However, a good assumption is available.
15th March 2018
Service Port Brute Force possible?
FTP 21
HTTP 80 ✓
HTTPS 443 NA
OpenVPN 1194 NA
SSH 2401 ✓
MySQL 3306 ✓
Hacking Charging Stations – Dr. C. Hille (P3)
Example: Evaluation of a brute force approach to breach the system
Experiment
RESULTS
▪ Experiment, to evaluate the running time for brute force attacks on various services. (no real attack, just a check for possibility)
▪ Identical list of 10,000 user and password combinations
▪ A single threaded brute force attack needs
▪ about 13 minutes on the Apache Tomcat server,
▪ about 10 minutes on the MySQL services, and
▪ about 27 minutes on the SSH services.
▪ Therefore, for an attacker, it is only a matter of resources to breach the system’s services.
15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Example: Brute force towards FTP and evaluating an available exploit
FTP
RESULTS (PORT 21- FTP)
▪ Brute force attack on the password is not possible, due to cancellation after a few tries by the FTP software
▪ Common Vulnerabilities and Exposures (CVE) from US Department of Homeland Security: Database for public known IT vulnerabilities operated by the US department of homeland security
▪ CVE-2015-3306 (10,0 Score) for ProFTPD 1.3.5 (and older version) found, but exploit was not successful
15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Example: No encryption is used for the data transmission
Web Service
RESULTS (PORT 80 – WEB SERVICE)
▪ Web Service used for maintaining and monitoring the Charging Station infrastructure
▪ It contains customer data, therefore it deserves protection
▪ Unencrypted data transmission
▪ Server generates cookies for each user
▪ Username equals „LOGIN“
▪ Password is hashed by MD5 and equals „PWD“
▪ Thereby, login becomes possible by
▪ Reading credentials from data traffic, or
▪ “Stealing” proper cookies.
15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Example: SQL Injection by SQLmap is possible
Web Service
RESULTS (PORT 80 – WEB SERVICE)
▪ Login page (index.php) and further websites running in the background are vulnerable to SQL injections
▪ SQL injection: request to database which takes advantage of security vulnerabilities to cause unexpected behavior
▪ Thereby: reading of databases, which contain e.g. customer information, becomes possible
▪ However: writing to databases is not possible (no INSERT/UPDATE SQL statement within a SELECT SQL statement)
15th March 2018
Hacking Charging Stations – Dr. C. Hille (P3)
Various attack vectors have been evaluated and vulnerabilities with serious impacts have been revealed
Summary
SUMMARY
▪ Charging station infrastructure becomes more and more important in the nearer future.
▪ In this talk, three possible attack vectors to the charging station infrastructure have been evaluated. (more vectors possible)
▪ Vulnerabilities (Brute force, CVEs, SQL Injection, unencrypted communication channels, …) for all services were identified.
15th March 2018
▪ IT security principles should be considered from the beginning of the system’s development to reduce the likelihood and the impact of a system’s breach!
THANKS FOR YOUR ATTENTION!
Dr. Christian HilleManaging Director
[email protected]+49 (0)151 27654612