EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE UtiliNet Europe Cyber Security Workshop Brussels, Belgium Dr. Christian Hille Dr. Manuel Allhoff P3 group 17 th May 2018
P3 GROUP PROFILE With more than 3,800 engineers & consultants, we support customers all over the world OVERVIEW P3 was founded in 1996 as a spin-off of the Fraunhofer Institute for Production Technology (OPT) at the RWTH Aachen. >3,800 ENGINEERS AND CONSULTANTS ACROSS THE GLOBE P3 is a privately owned company with more than 3,800 consultants and experts in about 36 locations. 180 of them are working in the field of eclectic mobility and further 70 employees in the flied of security. The majority of employees have a technical or scientific background. In 2017 the annual turnover of P3 was more than 360 million euros. The operational activity is done by sector specific subsidiaries. BUSINESS AREAS ENERGY COMMUNICATION AUTOMOTIVE AVIATION 15th March 2018
Amount of charging points [#] 15th March 2018 MOTIVATION The market launch of electric mobility and the development of charging infrastructure come along with critical risks Charging infrastructure is important In the future the meaning and amount of public charging points will strongly increase 36.000 36.000 27.000 18.000 9.000 0 Implications 5,800 7,400 2015 Public charging points 150 290 7,000 2016 2020 (forecast) Therefrom: fast charging points Capacity/energy demand in charging infrastructure Share of E-Mobility of the total mobility Frequency Charging infrastructure is vulnerable In general charging points are unmanned and partially located in remote areas Often physical protection can t be guaranteed Connection to backend in which sensible customer data is saved and processed More and more frequently charging points are used with the help of intelligent charging concepts Charging station infrastructure (CIS) is open for to potential attacks Charging infrastructure is critical Thresholds for critical infrastructure e.g. in Germany is: Threshold value for critical infrastructure: 500,000 persons Threshold value of energy supply: 420 MW In the future, 420 fast charging parks with 1 MW each (e.g. bundled in one system) can be assessed as critical infrastructure Attacks of charging infrastructure has a direct impact on energy supply and traffic infrastructure
Likelihood SECURITY OF CHARGING INFRASTRUCTURE Approach for a security analysis of charging infrastructure 1 IDENTIFICATION OF POTENTIAL ATTACK VECTORS 2 APPROACH FOR THE SECURITY 3 ANALYSIS IMPLEMENTATION OF A SECRURITY ANALYSIS FOR HTTP-SERVICES (EXAMPLE) 1. Physical aspects regarding the charging station Hardware, e.g.: Breaking of the case 2. Information technology aspects (TCP/IP) regarding the charging station HTTP Source Shell (SSH) Other services incl. mobile network 3. Information technology aspects (TCP/IP) regarding the backend system HTTP Other services 1. Preparation / Reconnaissance 2. Information procurement (especially via further interfaces, e.g. USB, RFID, ) 3. Valuation of information 4. Execution of attacks 5. Analysis and report Risk Level No impact Minor Major Very Severe High 0 5 3 1 Medium 1 7 2 0 Low 2 2 4 4 Very Low 4 6 3 8 1. Authentication e.g.: lists of passwords 2. Authorization e.g.: Privilege escalation 3. Session testing e.g.: Session stealing 4. Input validation e.g.: SQL Injection 5. Encryption validation 6. Client side testing e.g.: Cross Site Scripting, Java Script Execution, etc. * OCC-Protokoll-Tests sind ebenfalls möglich
SECURITY OF CHARGING INFRASTRUCTURE Identification of potential attack vectors Electric Vehicle (EV) User Mobility Provider OEM (Hard- /Software) LEGEND Attack-Vector Contract Data Data exchange Temporary Data exchange Metering Electricity Charging Station Chargepoint Operator (CPO) Distribution System Operator (DSO) Other Customers
TEST-ENVIRONMENT Setting of the Test-Environment Communication and Authentication Module Network 1: mobile network Network 2: 10.0.0.23 Internet Backend Network 1 Network 2 10.0.0.0 Network 1 Testclient Network 1: P3 WLAN network Network 2: 10.0.0.100
ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector
ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today
ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today
RESULTS Reconnaissance reveals services that can be attacked Available Services SSH (open 22/tcp) HTTP (open 80/tcp) HTTPS (open 443/tcp) SOAP (open 9080/tcp) Determining operating system: LINUX 2.6.32 or 3.10 Same services are available for the mobile network interface Hence, services can be attacked even without physical access via the mobile network interface
RESULTS (PORT 22 - SSH) Example: SSH uses a weak key-exchange algorithm and is vulnerable to brute force SSH Access SSH service used for maintenance (e.g. updates) Use of weak key-exchange algorithm, that is, Diffie-Hellman-Group1-SHA1 Diffie-Hellman algorithm gives (theoretical) possibility to derive key for encryption from data traffic Brute force attack (systematically evaluation of all possible credentials, via tools Hydra and Medusa) No protection against brute force which is efficient to perform With known password schema: 10000 possible combinations Brute force can be performed in parallel (e.g. 12 processes): approx. 8 minutes for 10000 user, password combinations
RESULTS (PORT 80/443 - WEB SERVICE) Example: Encryption with self signed certificate and processing of login data Web Service Web Service used for setting up Charging Station Port 80 gets redirects to Port 443 (self signed certificate via SHA-1) Login process of the web site via a non encrypted channel Password gets locally hashed via MD5 (unsecure hashing algorithm) A hashed password is only another representation for the password Reconstruction of password with Man-in-the-Middle (MitM) is possible Better: secure communication of the password which is hashed on the server (not on client) user credentials processes by Javascript, which leads to file /opt/tm/etc/lighttpd/ssl/webconftool/.passwd, which contains credentials for web site log in
RESULTS (PORT 80/443 - WEB SERVICE) Example: Login without knowledge of the user credential is possible Web Service Login Procedure Session Storage cookie, indicating that user is logged in, is added locally by the browser Cookie is a text file locally saved on the computer (text is always changeable) Local implies that users can modify the entry Login procedure only evaluates whether entry is available, not if it is valid Therefore, successful login possible as follows: 1. Attacker generates Session Storage cookie 2. Attacker adds entry with key username without value 3. Attacks calls success function via the web browser (no real check) All users have same rights in the system
ATTACK VECTORS Attack vector: paths to breach the charging infrastructure Attack Vector Internet Electric Vehicle Charging Station Backend Attack Vector discussed today
RESULTS Reconnaissance reveals services that can be attacked Available Services Service Port Brute Force possible? FTP 21 HTTP 80 HTTPS 443 NA OpenVPN 1194 NA SSH 2401 MySQL 3306 Determining the operating system was not possible most likely due to the used firewall. However, a good assumption is available.
RESULTS Example: Evaluation of a brute force approach to breach the system Experiment Experiment, to evaluate the running time for brute force attacks on various services. (no real attack, just a check for possibility) Identical list of 10,000 user and password combinations A single threaded brute force attack needs about 13 minutes on the Apache Tomcat server, about 10 minutes on the MySQL services, and about 27 minutes on the SSH services. Therefore, for an attacker, it is only a matter of resources to breach the system s services.
RESULTS (PORT 21- FTP) Example: Brute force towards FTP and evaluating an available exploit FTP Brute force attack on the password is not possible, due to cancellation after a few tries by the FTP software Common Vulnerabilities and Exposures (CVE) from US Department of Homeland Security: Database for public known IT vulnerabilities operated by the US department of homeland security CVE-2015-3306 (10,0 Score) for ProFTPD 1.3.5 (and older version) found, but exploit was not successful
RESULTS (PORT 80 WEB SERVICE) Example: No encryption is used for the data transmission Web Service Web Service used for maintaining and monitoring the Charging Station infrastructure It contains customer data, therefore it deserves protection Unencrypted data transmission Server generates cookies for each user Username equals LOGIN Password is hashed by MD5 and equals PWD Thereby, login becomes possible by Reading credentials from data traffic, or Stealing proper cookies.
RESULTS (PORT 80 WEB SERVICE) Example: SQL Injection by SQLmap is possible Web Service Login page (index.php) and further websites running in the background are vulnerable to SQL injections SQL injection: request to database which takes advantage of security vulnerabilities to cause unexpected behavior Thereby: reading of databases, which contain e.g. customer information, becomes possible However: writing to databases is not possible (no INSERT/UPDATE SQL statement within a SELECT SQL statement)
SUMMARY Various attack vectors have been evaluated and vulnerabilities with serious impacts have been revealed Summary Charging station infrastructure becomes more and more important in the nearer future. In this talk, three possible attack vectors to the charging station infrastructure have been evaluated. (more vectors possible) Vulnerabilities (Brute force, CVEs, SQL Injection, unencrypted communication channels, ) for all services were identified. IT security principles should be considered from the beginning of the system s development to reduce the likelihood and the impact of a system s breach!
Dr. Christian Hille Managing Director Christian.Hille@p3-group.com +49 (0)151 27654612 THANKS FOR YOUR ATTENTION!