IoT Village - Get your next Europe trip free! Long live the vulnerable EV charging points!
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Alternativer Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 335 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/48870 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 27312 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
PunktPunktMAPComputeranimation
00:18
Twitter <Softwareplattform>MarketinginformationssystemComputersicherheitComputerCybersexInformationEDV-BeratungSoftwaretestWeb-ApplikationInternet der DingeBenutzerbeteiligungComputeranimation
00:48
Strom <Mathematik>SichtenkonzeptComputeranimation
01:02
BimodulDoS-AttackeCoxeter-GruppeData MiningBimodulPunktDoS-AttackeHilfesystemComputeranimation
01:42
FreewareInformationMaschinencodeCoxeter-GruppeComputeranimation
01:54
PunktGammafunktionPunktBitInternet der DingeComputeranimation
02:08
Element <Gruppentheorie>EnergiedichteProzess <Informatik>PunktEnergiedichtePunktBitClientInternetworkingComputeranimation
02:50
CMM <Software Engineering>ComputersicherheitFormation <Mathematik>InternetworkingComputersicherheitDatenfeldCMM <Software Engineering>Computeranimation
03:15
Web-SeiteVerkehrsinformationComputeranimation
03:37
Rechter WinkelInternetworkingDialektThreadComputeranimation
03:52
InternetworkingMAPAutomatische IndexierungComputeranimation
04:14
InternetworkingMAPComputeranimation
04:34
Computeranimation
04:47
MeterServerInterpretiererSoftwareschwachstelleComputeranimationProgramm/Quellcode
05:03
Web-SeiteAuthentifikationGerichtete MengeProxy ServerLoginZugriffskontrolleLoginAuthentifikationRichtungGamecontrollerWeb-ApplikationProxy ServerKartesische KoordinatenSoftwareschwachstelleWeb-SeiteNummernsystemComputeranimation
05:36
LoginWeb-SeiteQuellcodeWeb-ApplikationPasswortBenutzerbeteiligungTouchscreenComputeranimation
05:59
Proxy ServerGerichtete MengeAuthentifikationWeb-SeiteWeb-SeiteInterface <Schaltung>ForcingDatenverwaltungWeb-ApplikationBenutzerbeteiligungQuellcodeComputeranimation
06:18
Web-SeiteElektronische PublikationQuellcodeLoginInformationAusnahmebehandlungDokumentenserverAppletAutomatische IndexierungInterface <Schaltung>CodeDatenverwaltungComputeranimation
06:47
Gerichtete MengeProxy ServerAuthentifikationDigital Rights ManagementWorkstation <Musikinstrument>Interface <Schaltung>DatenverwaltungInterface <Schaltung>Automatische IndexierungClientComputeranimation
07:00
PasswortAuthentifikationAutomatische IndexierungGamecontrollerWeb-SeiteTouchscreenComputeranimation
07:34
PunktInterface <Schaltung>Socket-SchnittstellePunktQuick-SortDoS-AttackeHook <Programmierung>Office-PaketRPCKonfiguration <Informatik>Leistung <Physik>Computeranimation
08:58
MultiplikationsoperatorRPCQuellcodeBenutzerbeteiligungComputeranimation
09:18
AuthentifikationAppletWorkstation <Musikinstrument>InternetworkingKontrollstrukturCodeKartesische KoordinatenQuellcodeAppletWeb-ApplikationServerBenutzerbeteiligungGamecontrollerAuthentifikationWorkstation <Musikinstrument>PunktNetzadresseComputeranimation
10:01
Kartesische KoordinatenAppletNetzadresseComputeranimation
10:14
CodeInjektivitätFlächentheorieGoogolAuthentifikationWorkstation <Musikinstrument>Web-SeiteExploitAdressraumSoftwareschwachstelleWeb-SeiteWeb-ApplikationPasswortFlächentheoriePersönliche IdentifikationsnummerInjektivitätWorkstation <Musikinstrument>AuthentifikationEinsBenutzerbeteiligungComputeranimation
11:44
Web-ApplikationWeb-SeiteComputeranimation
12:02
Nabel <Mathematik>InjektivitätPasswortFlächentheorieDefaultFlächentheoriePasswortNabel <Mathematik>DefaultTypentheorieComputeranimation
12:35
PERM <Computer>DefaultTabellePasswortSchnittmengeSystemverwaltungComputeranimation
12:54
Reverse EngineeringComputeranimation
13:09
Nabel <Mathematik>Nabel <Mathematik>CoprozessorElektronische PublikationARM <Computerarchitektur>Reverse EngineeringComputeranimation
13:25
MultiplikationsoperatorWurm <Informatik>ServerPunktProgramm/QuellcodeComputeranimation
13:42
Nabel <Mathematik>KorrelationReverse EngineeringExploitEinfach zusammenhängender RaumWurm <Informatik>Elektronische PublikationNabel <Mathematik>GlättungComputeranimation
14:01
Nabel <Mathematik>Wurzel <Mathematik>Computeranimation
14:23
RPCSoftwareschwachstelleNabel <Mathematik>CodeExogene VariableFirmwareComputeranimation
15:13
BimodulDoS-AttackeGammafunktionBimodulDoS-AttackeBootenComputeranimation
15:25
BimodulRPCCodeAutomatische HandlungsplanungProgramm/QuellcodeComputeranimation
15:41
BimodulRepository <Informatik>BimodulComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Today, I will talk about the EV charging points. Basically, I will just explain a specific one that I find it in Europe. So, and basically, you can use it everywhere in Europe. I will also show the map, then you can imagine. I'm John Kurnas from KPMG Netherlands.
00:21
I'm working as a senior consultant and mostly doing penetration tests on web applications, infrastructure, and sometimes also IoT and ICS. Uh, sorry? Okay. Alright. Great, great.
00:41
Okay, this is my contact info. If you want to ask something or discuss about something on IoT or ICS, please don't hesitate. For a disclaimer, basically, I did this research by myself and my company doesn't evolve on that, so if someone wants to sue me, just sue me, not my company. And I'm a little bit nervous because this is the first presentation,
01:06
uh, recorded presentation for mine, so that's why I feel a little bit nervous. Please help me. So, on agenda, we will talk about, uh, the introduction of the EV charging points, then I will try to explain the threat that I find, then the consequences we will
01:24
discuss, then we will go into the details, and I will explain more details. Then I will show you, uh, just a small metasploit module that you can make a denial of service of this EV charging point. This is a basic, small, uh, module, but you can use it. So, let's
01:43
start. So, this is a 100% Sun Tzu free info sec tool because probably you have a lot of codes from Sun Tzu on this presentation, on these days, so I will just skip that. For
02:01
EV charging points, electric vehicle charging points are in somewhere between IoT and ICS KEDA. So, basically, electric vehicle charging point is a device that you can supply electric energy to your, to recharge your, uh, electric vehicle, and nowadays, um,
02:22
manufacturers are trying to connect these devices to the internet, and that makes a little bit of trouble for them, and also for the clients. And, uh, previous research done by, uh, for charge point, it's, uh, another, let's say, manufacturer, this research done by
02:43
Kaspersky Lab, and, uh, for the Schneider EV link, positive technology has done a couple of, uh, research on that. So, basically, the idea, they are relatively new on the field, and they are just building to work, so security is not a concern in the beginning, but since
03:01
they are connecting to the internet, now it's a problem. So, based on these previous researches, and also mine, we are considering the security maturity is quite immature on these devices. So, basically, I completed an engagement for these devices, couple of,
03:21
uh, last year, actually. Then I, when I was writing the report, I just wanted to check if I write the name correctly, I just googled the name of the device, as you can see over there, and it showed up on the first page. Then, I said, what? Yeah, basically, I
03:41
mean, you are not, you are not expecting these kind of devices are connected directly to the internet and indexed by the Google, right? So, let's discuss about the threats. So, after that, I checked Shodan, and I realized, uh, with this map, so basically, on the
04:01
beginning of 2018, there were 200 devices connected directly to the internet and indexed by Shodan. After, in the middle of 2018, it come up 300, and, uh, as you can see on the map, it's all around the Europe. So, basically, if you create a smart map, you can
04:22
travel around, by using these charging points, you can travel around freely, because basically, you can compromise the device on the internet and you can charge your, uh, car, and I will also show that later. So, now, this is a new one. They are appearing on the U.S. also now. Maybe, I don't know, at the end of this year or next
04:45
year, you can also do it in here. So, the consequences. So, what? Basically, you can compromise the device, and you can get root. So, if you want to create your next Mirai by using these devices, you can. And the details. So, the first vulnerability that I
05:08
find on this device is authentication bypass with direct request. So, the web applications of these devices mostly are not secure enough. So, it's a quite straightforward vulnerability, as you can imagine. So, application was not that good,
05:21
basically, it's broken. So, the access control was only on the login page, and the rest is not, is not that secure. It's, it's, it wasn't covered by the, uh, authentication scheme. So, it can be easily bypassed. So, as you can see in here, there's a login screen over there for the setup.html page. It's, it's the, uh, let's say the first
05:45
page that you, when you try to connect to the device, after you find the IP, you'll see this. So, I mean, you can also guess the password, of course, but I decided to take a look to the source code of the web application, and, yeah, basically, by first, uh, browsing, you
06:05
can go to the, uh, other pages of the web application, I will show you later, then you can, uh, have access on the other pages. Basically, it will also affect the, uh, management interface of that device. So, let me check the, let me check the source
06:22
code. We are realizing there are a couple of pages, except setup HTML, like index HTML, and also there's a Java file, appletscaler.jar, and also a couple of, uh, uh, let's say, informational, uh, sub-pages, like repository device ID and logs. You can also
06:42
check the logs, but I'm not considering to check that because it's just an information disclosure. So, I tried to, I tried to connect to the, uh, management interface by using, as you can see in here, appletscaler client, it's in index HTML. So, yeah, it
07:02
was successful. So, there, there were no authentication for this page specifically, so even if the device has some password for the setup HTML page, you can just for, uh, browse the other page, like index HTML, then you can connect to the device and you can control
07:22
the device. So basically, if you can see on the screens, there are two plugs, A and B, and you have the full control of these two plugs. So, what can be done with this? And, I don't know, you can put it to the remote start, click to the remote start, then you can, uh,
07:42
charge your car freely. Then attacker may abuse this to, uh, get some, let's say, uh, power from that and also charge the car. And, what if, if they click to remote stop? Let's, let's think about it, someone is connected to the, uh, EV charging point and charging
08:03
their car and you are just clicking remote stop and after he come from his work, his office, he's realizing it, the car has not been charged. And also, you, you have an option that you can disable the plug. So basically, if you click to disable, then the
08:22
charging point will be turned off, so it will be disabled. It's sort of a denial of service. And, sometimes it's, it's also another possibility that you can lock the connector, so when you lock the connector, it will just stop connecting to the device. So,
08:41
basically it has some sort of a, I don't know how you call it, hook on the, for the connector that, because someone, we don't want someone steal the cable when we are charging. So, if you lock that connector, someone else also would not plug in. So, as you can see in here, these bolts are now open, quite ready for charging, but if I click to the
09:07
remote start, as you can see, it's starting to charging and also locking the device. And, at the same time, you can also stop it. So, let's come back to the source code, web
09:22
application, uh, then you're realizing we have a Java code over there, right? So, for the, for downloading this Java application, also there is no authentication, so if there is authentication on the web, web server, web application, you can freely
09:40
download this application, and then you have control for all these charging stations. You only need to supply, you only need to provide the IP address of the other charging points, because Java application doesn't have any authentication, it just gets the IP, then you can control the other devices. So, you can hack all these devices by using this
10:06
Java application. So, yeah, there I am downloading the devi- uh, downloading the Java application, and I'm just running it, then it asks me IP address of the device, then you
10:20
are connecting any device, and you can freely control it. So, the other vulnerability that I find on these devices is also quite straightforward, OS command injection on the web application, and the di- the thing is, you need to provide the password for connecting the setup HTML, I mean, if there is a password and you couldn't get, yeah, you
10:43
couldn't guess it, or you couldn't find it, it doesn't work of course, but mostly these devices doesn't have any password, they are not setting this up. So, the pink feature, of course, as you can imagine, is vulnerable to OS command injection attacks, and the attack surface, as you can see before, connected ones are already, uh, indexed by
11:06
Shodan, by Google, I know, yeah, it's really far, it's really easy to find these devices, basically. So, let's increase the attack surface, most of the EV charging stations doesn't have any authentication on the setup page, so they are not, yeah, as I can
11:23
mention before, they are not setting up the passwords, mostly. And, after accessing this setup HTML page, somehow, if, if you provide the password or if you find it without the password, it's really quite straightforward to exploit it by using the pink IP
11:41
feature, feature. So, I am just using the backticks to, to run my command, I just tried to create another page for the web application to see if my command works, then it works. And I realized I can run commands on, on these devices, basically. I just used the
12:04
backticks, as you know, uh, everything you type between the backticks are executed by the shell just before the main, uh, command. So, main command was the pink, but when you are writing the backticks, it was running the, uh, the, the command that you write over there. So, let's double the attack surface, increase attack surface. So, using a
12:28
default password is encouraged by the, uh, vendors, because it's written on the vendors manual that I will show you later now. Let's check this. It's recommended leaving the default settings according to the table below. Default password is admin and, uh, default
12:45
user's admin and password is 1234. It's, it was in the owner's manual. And then I see it, it's also, it's also possible to find it online, and then I see it, so let's give some
13:05
more details. So, I tried to run some commands and I succeed, then I created my reverse shell by using MSF venom, uh, the device was using the ARM processor, so I created for the ARM, and created the executable Linux file because it was quite easy to run it.
13:26
Then I tried a couple of times, of course I failed a couple of times before, then somehow it worked at some point. And I just also created a Python simple HTTP server to download, uh, my payload to the device. And I also created a listener to get a
13:45
connection back to my, and I used curl to download the, uh, my payload to the device, and yeah, after a couple of, uh, trials, I succeeded, then I ran the, uh, executable Linux file, then I got the shell. Like that. Quite smooth. And then I realized it's
14:15
just, you can imagine, you can create your own, own boats by using these devices, or, I
14:21
don't know, you can use for something else. Then, I reported that to ICS search, in the middle of 2018, I reported it took almost 5 months to get the response, and after this discussion, ICS search acknowledged and also discussed with the vendor, they fixed it
14:41
somehow, they fixed it for, uh, for, for, uh, for, not, not all the vulnerabilities, not for the remote code execution, because I think they couldn't do it. They told me they fixed it, I also tried again with the new firmware, I did it again, at least I break the device again, so I, I couldn't get the shell back, but I just break the device. But
15:05
they told me they fixed it. I, I already warned them. Yeah. So, the bonus, as a bonus, I created a Metasploit module for denial of service, because denial of service is quite easy, you just write a reboot by using it with backticks, that's all. So, yeah,
15:26
because I'm quite lazy, I didn't want to create a whole remote code execution, uh, module for that, so I just saved my post request, and I created a module by using the post request, and that's all. Uh, I'm planning to share the PLC module, uh, end of, uh, DEFCON, and
15:47
this is all what I have, thank you very much for joining me, and if you have any questions, or if you want to contact me, please don't hesitate, thank you very much.