Home » bitcoin updates » 34C3: Huge Vulnerabilities in Charging Stations

34C3: Huge Vulnerabilities in Charging Stations

Wednesday, December 27th, 2017 | bitcoin updates

    (Picture: CC by 4.0 34C3 media.ccc.de))
             To draw electricity for the electric car on charging stations on behalf of the security researcher is no problem, according to security researcher Mathias Dalheimer. The billing number for user cards can simply be copied, the communication infrastructure is hardly protected.


        Two years ago, the infrastructure of public electricity charging stations was targeted by hackers from the environment of the Chaos Computer Club (CCC). Much was "already broken", it had been called then. The security researcher Mathias Dalheimer reported on Wednesday at the 34th Chaos Communication Congress (34C3) in Leipzig almost consummation. "The vendors have not implemented basic security mechanisms," the CCC member said, adding that if the gaps in the supermarket cashier were just as big as those at the e-dispensers, you could "pay with a photocopy of a giro card" and you could do it.
"At the moment, charge cards and billing protocols are unfortunately insecure," emphasized Dalheimer. Many charging stations are "trivial to manipulate". The main problem, according to the hacker at all points of contact with the infrastructure for charging e-cars inadequate authentication procedures. While, for example, online banking requires at least one TAN as an additional factor in addition to a PIN, charging stations can have a single variable that can easily be accessed to initiate far-reaching processes.


          Mathias Dalheimer showed in Leipzig how easy it is to steal electricity from public taps.
            CC by 4.0 34C3 media.ccc.de))

    As a billing solution, the Open Charge Point Protocol (OCPP) in version 1.5 of 2012 is usually used in the more than 11,000 public electronic dispensers available in this country. He had read the relevant specification and understood after 20 minutes that the authentication mechanisms used were inadequate, reported Dalheimer, who researches at the Fraunhofer Institute for Industrial Mathematics (ITWM) in Kaiserslautern. A "token" in the form of a sequence of 20 characters is sufficient to communicate with the central system in the backend of the operator and draw power.
Totally unsecured That all comparatively easy, if you feed the charging station with the right value, showed Dalheimer in a video. In it, he argued that his self-built "test box" in the form of a car adapter with its own protective conductor monitoring and charging control as well as connect a waffle iron and refer to the prevailing in this country AC dispensing systems "normal AC" refer. "There is no signature, no challenge, nothing is negotiated", the expert missed common protection and encryption mechanisms.
The necessary tokens were also easy to obtain, explained the Palatine. The charge cards on which they are stored, you can easily inspect with readers such as Proxmark3. It turned out that, as a rule, local radio cards with "Mifare Classic" chips would be used, although it has been known for about ten years that their crypto implementation has large holes. The smart cards could be completely trivially read out and simulated using additional tools such as Chameleon Mini. He had found out that only the card number will be used as an authentication feature. If one has found such, they can be copied as desired and transferred to a cheap blank card from China.
Refueling at the expense of othersThe weakness affects all the known charging card systems, underlined Dalheimer, next to the top dog New Motion so about BMW Charge Now, E-forest and charging network. In these he has tested that in the roaming protocols for cross-billing only one string is included as an authentication feature. A cursed user gets so in doubt, only a month later, that Schindluder had been operated with his card number.
The inventor also took a closer look at the concrete charging stations of the manufacturers Hager and Keba and found comparable attack surfaces there. Network communication often takes place "via http unencrypted" instead, so that every somewhat experienced hacker can observe the traffic with the open source scanner Ngrep and copy out the store numbers. When encrypting via https, you can proceed with a "Man in the Middle" attack. E-dispensers can also be controlled remotely over the network, you can find the appropriate devices on the Internet of Things specialized search engine Shodan. Dalheimer addressed the audience but the request, such open networked charging stations "in peace". Otherwise "if in doubt, someone could not go home".


          If you put an empty USB stick on the USB sockets of the Haeger column, you will get the configuration files as a present.
            CC by 4.0 34C3 media.ccc.de))

    Screwdrivers are enoughWith easy-to-discover USB ports for the maintenance of the devices, according to the researchers, further playgrounds for hackers. In order to get to the interfaces, you have to solve a few screws in the most difficult case. If you put your own empty stick into Hager columns, you'll find a file with treacherous contents like the network configuration, access data and the public endpoint for OCPP server. This gift must be renamed only according to the instructions and already it will be used as a new configuration with the self-assigned permissions for manipulation.
For Keba devices, the administrators could prevent that configuration data would be imported, but would not prevent further software updates. The required firmware, which can be modified, can be found on the website of the manufacturer. Dalheimer showed on-site and in the video how a script was executed by him: The load module indicated with the hint "pwned" that the researcher had obtained root access with all permissions and could signal something like: "Download today for free . " A hacker would be able to extract the card numbers of previous drivers. However, it is also conceivable that the charging station operator could collect the tokens themselves and simulate charging processes via an OCPP client and charge users.
Operator plays down gap Overall, Dalheimer found "obvious gaps that it is actually sad". The entire industry is affected, which is "not good for the whole electromobility". For example, the Dutch Fastned system for automatic loading from ABB takes only the MAC address of the vehicle as an authentication feature. Even with the alternatively usable mobile phone apps as well as in the backend of the central accounting systems it looks probably not better.
The charging network operator New Motion has admitted in an opinion in an Onlne forum, the possibility that charging cards could be copied. So far, however, the association has become "not a single case of card fraud known". This is probably also due to the fact that the loading costs, which are currently at a maximum of just under € 20 per 100 kilometers, are low. Fraud could also be "very easily revealed" because a vehicle parked on average for at least 30 minutes at the charging station. During this time, it is easy to understand which charge card is being used. Cardholders could also automatically have a message sent to their smartphone as soon as their account is accessed.
The CCC demands that "the safety of charging stations must finally be brought to the state of the art". Store network operators should offer their customers secure payment options. For this, the billing data would need to be protected not only within a charging network, but also when roaming between different providers.
A recording of the lecture can be obtained from the CCC's media server.
 (Stefan Krempl) /




Exhaust scandal: Inadmiss

                         VW Touareg                                                   (Photo: Volkswagen)                                            The holders

Euro on Sunday Stock Tips

by S. Bauer, K. Schachinger and F. Westermann, Euro on Sunday The MDAX

Christmas bonuses by bran

Christmas presents, a Christmas tree, Christmas decorations and cookies – the "contemplative time"

Gold price in focus: COT-

by Jrg BernhardBeim a general interest in gold futures, as well as the