EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

UtiliNet EuropeCyber Security WorkshopBrussels, Belgium

17th May 2018Dr. Christian HilleDr. Manuel AllhoffP3 group

P3 GROUP PROFILE

With more than 3,800 engineers & consultants, we support customers all over the world

▪ P3 was founded in 1996 as a spin-off of the Fraunhofer Institute for Production

Technology (OPT) at the RWTH Aachen.

▪ P3 is a privately owned company with more than 3,800 consultants and experts in about

36 locations. 180 of them are working in the field of eclectic mobility and further 70

employees in the flied of security.

▪ The majority of employees have a technical or scientific background.

▪ In 2017 the annual turnover of P3 was more than 360 million euros.

▪ The operational activity is done by sector specific subsidiaries.

OVERVIEW >3,800 ENGINEERS AND CONSULTANTS ACROSS THE GLOBE

BUSINESS AREAS

15th March 2018

AUTOMOTIVE AVIATIONCOMMUNICATIONENERGY

Hacking Charging Stations – Dr. C. Hille (P3)

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

The market launch of electric mobility and the development of charging infrastructure come along with critical risks

MOTIVATION

Charging infrastructure is important

Charging infrastructure is vulnerable

5,800 7,400

150 290

7,000

36.000

9.000

27.000

18.000

0

36.000

2016 2020 (forecast)2015

Therefrom: fast charging pointsPublic charging points

▪ In general charging points are unmanned and partially located in remote areas

▪ Often physical protection can´t be guaranteed

▪ Connection to backend in which sensible customer data is saved and processed

▪ More and more frequently charging points are used with the help of intelligent charging concepts

▪ Charging station infrastructure (CIS) is open for to potential attacks

Charging infrastructure is critical▪ Thresholds for critical infrastructure e.g. in Germany is:

▪ Threshold value for critical infrastructure: 500,000 persons

▪ Threshold value of energy supply: 420 MW

▪ In the future, 420 fast charging parks with 1 MW each (e.g. bundled in one system) can be assessed as critical infrastructure

▪ Attacks of charging infrastructure has a direct impact on energy supply and traffic infrastructure

Am

ou

nt

of

char

gin

g p

oin

ts [

#]

Implications

In the future the meaning and amount of public charging points will strongly increase

Capacity/energy demand in charging infrastructure

Share of E-Mobility of the total mobility

Frequency

2 31

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

SECURITY OF CHARGING INFRASTRUCTURE

Approach for a security analysis of charging infrastructure

1. Preparation / Reconnaissance

2. Information procurement(especially via further interfaces, e.g. USB, RFID, …)

3. Valuation of information

4. Execution of attacks

5. Analysis and report

IDENTIFICATION OF POTENTIAL ATTACK VECTORS

1. Authentication e.g.: lists of passwords

2. Authorization e.g.: Privilege escalation

3. Session testing e.g.: Session stealing

4. Input validation e.g.: SQL Injection

5. Encryption validation 6. Client side testing

e.g.: Cross Site Scripting, Java Script Execution, etc.

APPROACH FOR THE SECURITY ANALYSIS

IMPLEMENTATION OF A SECRURITY ANALYSIS FOR HTTP-SERVICES (EXAMPLE)

Risk LevelNo impact Minor Major Very Severe

Like

liho

od

High 0 5 3 1

Medium 1 7 2 0

Low 2 2 4 4

Very Low 4 6 3 8

* OC

C-P

roto

koll-Tests sin

deb

enfalls

mö

glich

1. Physical aspects regarding the charging station▪ Hardware, e.g.:

Breaking of the case2. Information technology aspects (TCP/IP)

regarding the charging station ▪ HTTP▪ Source Shell (SSH)▪ Other services incl. mobile network

3. Information technology aspects (TCP/IP) regarding the backend system▪ HTTP▪ Other services

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

Identification of potential attack vectors

SECURITY OF CHARGING INFRASTRUCTURE

OEM (Hard-/Software)

Mobility ProviderUserElectric Vehicle (EV)

Charging Station ChargepointOperator

(CPO)

Distribution System Operator (DSO)

Other Customers

Contract Data

LEGEND

Attack-Vector

Data exchange

Temporary Data exchange

Electricity

Metering

Hacking Charging Stations – Dr. C. Hille (P3)

Setting of the Test-Environment

TEST-ENVIRONMENT

15th March 2018

Communication and Authentication ModuleNetwork 1: mobile network

Network 2: 10.0.0.23

Network 1

Network 1

Network 210.0.0.0

TestclientNetwork 1: P3 WLAN network

Network 2: 10.0.0.100

Backend

Internet

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

Attack vector: paths to breach the charging infrastructure

ATTACK VECTORS

Attack Vector

Electric Vehicle Charging Station BackendAttack Vector

Internet

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

Attack vector: paths to breach the charging infrastructure

ATTACK VECTORS

Attack Vector

Electric Vehicle Charging Station BackendAttack Vector

Internet

discussed today

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

Attack vector: paths to breach the charging infrastructure

ATTACK VECTORS

Attack Vector

Electric Vehicle Charging Station BackendAttack Vector

Internet

discussed today

Reconnaissance reveals services that can be attacked

Available Services

RESULTS

▪ SSH (open 22/tcp)

▪ HTTP (open 80/tcp)

▪ HTTPS (open 443/tcp)

▪ SOAP (open 9080/tcp)

▪ Determining operating system: LINUX 2.6.32 or 3.10

▪ Same services are available for the mobile network interface

▪ Hence, services can be attacked even without physical access via the mobile network interface

Hacking Charging Stations – Dr. C. Hille (P3)15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Example: SSH uses a weak key-exchange algorithm and is vulnerable to brute force

SSH Access

RESULTS (PORT 22 - SSH)

▪ SSH service used for maintenance (e.g. updates)

▪ Use of weak key-exchange algorithm, that is, Diffie-Hellman-Group1-SHA1

▪ Diffie-Hellman algorithm gives (theoretical) possibility to derive key for encryption from data traffic

▪ Brute force attack (systematically evaluation of all possible credentials, via tools Hydra and Medusa)

▪ No protection against brute force which is efficient to perform

15th March 2018

▪ With known password schema:

10000 possible combinations

▪ Brute force can be performed in parallel (e.g. 12 processes):

approx. 8 minutes for 10000 user, password combinations

Hacking Charging Stations – Dr. C. Hille (P3)

Example: Encryption with self signed certificate and processing of login data

Web Service

RESULTS (PORT 80/443 - WEB SERVICE)

▪ Web Service used for setting up Charging Station

▪ Port 80 gets redirects to Port 443 (self signed certificate via SHA-1)

▪ Login process of the web site via a non encrypted channel

▪ Password gets locally hashed via MD5 (unsecure hashing algorithm)

▪ A hashed password is only another representation for the password

▪ Reconstruction of password with Man-in-the-Middle (MitM) is possible

▪ Better: secure communication of the password which is hashed on the server (not on client)

▪ user credentials processes by Javascript, which leads to file /opt/TM/etc/lighttpd/ssl/webconftool/.passwd, which contains credentials for web site log in

15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Example: Login without knowledge of the user credential is possible

Web Service Login Procedure

RESULTS (PORT 80/443 - WEB SERVICE)

▪ “Session Storage” cookie, indicating that user is logged in, is added locally by the browser

▪ Cookie is a text file locally saved on the computer (text is always changeable)

▪ “Local” implies that users can modify the entry

▪ Login procedure only evaluates whether entry is available, not if it is valid

▪ Therefore, successful login possible as follows:

1. Attacker generates “Session Storage” cookie

2. Attacker adds entry with key “username” without value

3. Attacks calls “success” function via the web browser (no real check)

▪ All users have same rights in the system

15th March 2018

15th March 2018 Hacking Charging Stations – Dr. C. Hille (P3)

Attack vector: paths to breach the charging infrastructure

ATTACK VECTORS

Attack Vector

Electric Vehicle Charging Station BackendAttack Vector

Internet

discussed today

Hacking Charging Stations – Dr. C. Hille (P3)

Reconnaissance reveals services that can be attacked

Available Services

RESULTS

▪ Determining the operating system was not possible most likely due to the used firewall. However, a good assumption is available.

15th March 2018

Service Port Brute Force possible?

FTP 21

HTTP 80 ✓

HTTPS 443 NA

OpenVPN 1194 NA

SSH 2401 ✓

MySQL 3306 ✓

Hacking Charging Stations – Dr. C. Hille (P3)

Example: Evaluation of a brute force approach to breach the system

Experiment

RESULTS

▪ Experiment, to evaluate the running time for brute force attacks on various services. (no real attack, just a check for possibility)

▪ Identical list of 10,000 user and password combinations

▪ A single threaded brute force attack needs

▪ about 13 minutes on the Apache Tomcat server,

▪ about 10 minutes on the MySQL services, and

▪ about 27 minutes on the SSH services.

▪ Therefore, for an attacker, it is only a matter of resources to breach the system’s services.

15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Example: Brute force towards FTP and evaluating an available exploit

FTP

RESULTS (PORT 21- FTP)

▪ Brute force attack on the password is not possible, due to cancellation after a few tries by the FTP software

▪ Common Vulnerabilities and Exposures (CVE) from US Department of Homeland Security: Database for public known IT vulnerabilities operated by the US department of homeland security

▪ CVE-2015-3306 (10,0 Score) for ProFTPD 1.3.5 (and older version) found, but exploit was not successful

15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Example: No encryption is used for the data transmission

Web Service

RESULTS (PORT 80 – WEB SERVICE)

▪ Web Service used for maintaining and monitoring the Charging Station infrastructure

▪ It contains customer data, therefore it deserves protection

▪ Unencrypted data transmission

▪ Server generates cookies for each user

▪ Username equals „LOGIN“

▪ Password is hashed by MD5 and equals „PWD“

▪ Thereby, login becomes possible by

▪ Reading credentials from data traffic, or

▪ “Stealing” proper cookies.

15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Example: SQL Injection by SQLmap is possible

Web Service

RESULTS (PORT 80 – WEB SERVICE)

▪ Login page (index.php) and further websites running in the background are vulnerable to SQL injections

▪ SQL injection: request to database which takes advantage of security vulnerabilities to cause unexpected behavior

▪ Thereby: reading of databases, which contain e.g. customer information, becomes possible

▪ However: writing to databases is not possible (no INSERT/UPDATE SQL statement within a SELECT SQL statement)

15th March 2018

Hacking Charging Stations – Dr. C. Hille (P3)

Various attack vectors have been evaluated and vulnerabilities with serious impacts have been revealed

Summary

SUMMARY

▪ Charging station infrastructure becomes more and more important in the nearer future.

▪ In this talk, three possible attack vectors to the charging station infrastructure have been evaluated. (more vectors possible)

▪ Vulnerabilities (Brute force, CVEs, SQL Injection, unencrypted communication channels, …) for all services were identified.

15th March 2018

▪ IT security principles should be considered from the beginning of the system’s development to reduce the likelihood and the impact of a system’s breach!

THANKS FOR YOUR ATTENTION!

Dr. Christian HilleManaging Director

Christian.Hille@p3-group.com+49 (0)151 27654612