Ofer ShezafBlogging at httpwwwxiomcom
2
What I do for a livingbull Product Manager Security Solutions HP ArcSightbull Led security research and product
management at Breach Security amp HP Fortify
I am passionate about security after hours as wellbull OWASP leader and founder of the Israeli chapterbull Leads the Web Application Firewall Evaluation Criteria projectbull Wrote the ModSecurity Core Rule Setbull But I am a defender and not a hacker I am too old for that
Everything in this presentation is taken from public sources
Fun fact the closest airport to my house is in Damascus Syria
3
We are in the right city
Agenda
Plugs Why smart charge The electric car and the smart grid
How to charge smartly Architecture and functionality of charge stations
Security What can go wrong Vulnerabilities and incidents
What should we care The risk
What should we do Solutions
Philosophy Hacking the internet of things
Why doesnrsquot it happen more
Smart charging electric cars
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
2
What I do for a livingbull Product Manager Security Solutions HP ArcSightbull Led security research and product
management at Breach Security amp HP Fortify
I am passionate about security after hours as wellbull OWASP leader and founder of the Israeli chapterbull Leads the Web Application Firewall Evaluation Criteria projectbull Wrote the ModSecurity Core Rule Setbull But I am a defender and not a hacker I am too old for that
Everything in this presentation is taken from public sources
Fun fact the closest airport to my house is in Damascus Syria
3
We are in the right city
Agenda
Plugs Why smart charge The electric car and the smart grid
How to charge smartly Architecture and functionality of charge stations
Security What can go wrong Vulnerabilities and incidents
What should we care The risk
What should we do Solutions
Philosophy Hacking the internet of things
Why doesnrsquot it happen more
Smart charging electric cars
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
3
We are in the right city
Agenda
Plugs Why smart charge The electric car and the smart grid
How to charge smartly Architecture and functionality of charge stations
Security What can go wrong Vulnerabilities and incidents
What should we care The risk
What should we do Solutions
Philosophy Hacking the internet of things
Why doesnrsquot it happen more
Smart charging electric cars
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Agenda
Plugs Why smart charge The electric car and the smart grid
How to charge smartly Architecture and functionality of charge stations
Security What can go wrong Vulnerabilities and incidents
What should we care The risk
What should we do Solutions
Philosophy Hacking the internet of things
Why doesnrsquot it happen more
Smart charging electric cars
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Smart charging electric cars
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
6
Why not just plug to the wall
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
7
Are there plugs on the streets
And if there were who will pay for the power
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
8
Is there enough power for all cars
In a building In the country
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
9
Are electric cars really green
When is renewable energy available
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
10
Charge as soon as possible
Pay minimum
Make it easy
Local circuit capacity
Regional national and international capacity
Renewable energy availability
Battery life management
Cust
omer
Nee
ds
Restrictions
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
11
So we need to smart charge
CONFIDENTIAL copy 2010 Better Place
11
single-unit residences
(smart meteringHAN)
Multi-unit residencesUtil
ity Office buildings
Public charging
EV charge management
back
off
ice
amp an
alyt
ics
customer services
supply management
load management
system planning
EV network management
Local
Controller
Retail space
powercommunications
EV driver servicesC
harg
e Se
rvic
esU
ser
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
12
Charge scenarios
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
13
Charge plans
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Charge stations
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
15
A computer on the street
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
16
Smart Socket
Metering GND Terminal CP Terminal
Fan(optional)
PSU RCD
UI ndash LCD LEDs Buzzer
Main PCB
Component by component
GSMWiFiZigBeeRS
ElectricalElectronics
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
17
Actually a network
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Potential Vulnerabilities
All the information in this section is based on public sources and in most cases from vendorsrsquo web sitesLooking into the suggested possibilities is left as an exercise to the audience
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
19
Physical access
What is itTake apart system tobull Determine componentsbull Extract firmware and EEPROMbull Analyze and debug firmware
Either of the street or purchased from vendorPotential vulnerabilitiesbull Convenient eavesdropping pointsbull Get encryption keysbull Analyze RFID car or control center encryptionbull Analyze carcontrol center protocol and determine
vulnerabilities
Images Grand et al Parking meter hacking BlackHat 2009
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
20
Short range communications RS-485
What is itbull Multi-drop serial protocol enables single data cable
across all charge stationsbull Very low bandwidth and high latency due to
multiplexing and range (100KBs shared by all nodes at 1200m bus)
bull ModBus commonly used as data protocol and has no inherent security
Potential VulnerabilitiesWhile it all depends on the application bandwidth and latency limits encryption and makes eavesdropping and man in the middle attacks simple
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
21
Short range communication RFID
How is it usedSeveral standards usedbull ISO 14443 can be secured but is not alwaysbull ISO 15693 is cheaper and has longer range but provides little
securitybull Older 125KHz cards have no security
Standards do not determine applicationPotential vulnerabilitiesbull Easy to eavesdrop authentication is secured but not identificationbull Extremely costly to patchbull Encryptionhellip on next slide
OpenPICC 1356MHz RFID sniffer
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
22
Encryption RFID
How is it usedbull Application either a stored value or identificationbull Commonly employs protected memory using
symmetric keys
Potential vulnerabilitiesbull Same symmetric key used for all stations and
cards does not scale and open to relay and card attacks
bull Different symmetric keys require connectivitybull Weak cryptographybull That is if keys are usedhellip
HID
iCLA
SStrade
security demystified
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
23
Internet of things protocols
Charge station to central managementbull Identification starting and stopping a charge transactionbull Reservationsbull Maintenance Setup heartbeat Configuration Firmware Updates
Errors and diagnostics
Car to charge station bull Negotiate current bull Identification
Potential vulnerabilitiesbull Security by obscuritybull Trust in end pointsbull SSH and SNMP used extensively for management
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
24
Internet of things web and mobile control
For charge station ownersbull Configure stations (max current allowedhellippublic or nothellip)bull Set pricing and manage transactionsbull Startstop chargingbull Accounts and RFID cards management bull Manager transactions
For driversbull Pay and manage paymentsbull Startstop chargingbull Connect RFID cards
Potential vulnerabilities Kidding mehellip
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
25
Human factor deployment and maintenance
GE charge station user guide
Configuring is sometimes as simple asbull Open the boxbull Place a DIP switch to configuration modebull Connect Ethernet cross cable to the Ethernet portbull Fire a browser and connect to 19216822bull I wonder what you can get to outside of a browser
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Risks amp Scenarios
bull Denial of (energy) servicesbull Stealingbull Privacy infringementbull hellipandhellip
As EV charging is still in infancy to the best of my knowledge no incident have been reported yet The example below are from similar systems that share many of the components such as bull Parking metersbull Transportation payment systems
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
27
Denial of (chargingpower) service
ScenariosLarge scale or targetedbull Webmobile reservation stopping chargebull Control center Massing with charge planning (local of global)bull Charge stations time bomb in firmware Imagine no electric car can charge for a day when the are 30 of a national fleet
Happened beforebull Chicago parking meters meltdownbull Ex-Dealership Employee Uses Internet To Disable 100 Cars
27
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
28
Stealing electricity (or money)
Scenariosbull RFID fraud stored value of identity theftbull Communications Man in the middle bull Protocols emulating the control centerbull Web refunds identity theftbull Meter spoofing
Happened beforebull Grand et al SF parking meter hacking BlackHat 2009bull Ryan et al Boston subway hack Defcon 2008 Faulty cards just
now replaced in the Netherlands
A lot of small charges can accumulate
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
29
Privacy infringement
Scenariosbull Eavesdropping at multiple pointsbull Webmobile Retrieving location identified
transactions
Happened beforebull The web hacking incidents database
29
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
30
Electrocution
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Solutions
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
32
Open Standards
Today standards in in infancy and not open enough forcing security by obscurity
EV 2 CS communicationbull ISOIEC 15118 V2G
bull SAE J229328362847
RFIDbull ISO 14443 + PayWavePayPass
bull NFC bull AES3DES
Control Center communicationsApplication
bull e-Laad OPPCbull ChargePoint Open Chargebull ISOIEC 15118 (partial)
Network ZigBee
Roaming
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
33
Massive key and password management
Support unique key issuing and revocationbull Public key cryptography where feasiblebull Derived symmetric keys for online systems and management
protocolsbull One time maintenance keys or passwords
Encryption risk managementbull Consider insecure offline mode allowing no key in charge
station
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
34
Just design (and invest) in security
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
36
So many frightening talks
So why no hacks
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
37
It takes an expert and not just in hacking
Security Expert
Domain Expert
Physical hacking
presentation
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
38
This is as simple at it gets (ie just presentation graphics)
And not just any security expert
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
39
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
40
At least when it gets physical
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
41
However
Risks are aggregative and involve a basic service
Will become an issue when electric cars become a reality
It may be too late by thanhellip
Ofer Shezafofershezafcom
Ofer Shezafofershezafcom