 infrastructure for electric vehicles, extension instead of security, and we are Pink Dispatcher and Cati. And okay, please a big welcome and a warm hand for Matthias Dahleimer, he is talking about electric vehicle charging infrastructure. Thank you very much. I don't know how you feel, but this year was a year where electric vehicles suddenly became sexy. This is maybe because of Tesla and whatever you think about Tesla, but they did it to make the, to get the electric car from the ecological corner and make it in something that you want to have and you can see from the new car registration numbers. And here's the statistics for new registrations from the German registration office and it's only for electric vehicles. So up to 2010 there's not really much happening at all. There's no really attractive cars and now suddenly 2010 there's a small increase and last year suddenly the new registrations doubled and that means electric mobility has arrived somehow and has matured in a way that it works in practice and of course you can see that in the new registration numbers. And at the same time the charging networks are growing and of course with an electric vehicle on a long trip you need to go to a public charging point and see that you can, that you have many of these points along your route and there are dictionaries for that which show growing numbers. This is a map from New Motion and in Berlin they have a growth of 3,780 percent. And so the charging events, how many times people charge their car on a public point. And of course there's the question if there's an increase in electric mobility and the charging networks grow and there are big, big growths in that and how does the growth work? Is that sustainable and are there security vulnerabilities? Maybe how does it work? Does it work at all? And that's what I'm going to talk about today. And I know that I think that only very few of you have already charged an electric vehicle so here's a small film and you take out your charging cable and plug it into the charging point and this is from Energy in Kaiserslautern and I turn on my electric vehicle and then I can connect a consumer. And of course this weffle-dau is really nasty, don't use it. And in the end such a charging point is just a plug, just an outlet and I'm not talking exactly how this charging technology with AC charging works or in general. If you're interested in that on this URL there's more documentation and you can find instructions how to build this adapter. And today there are three ways to charge an electric vehicle. That's AC, alternating current or three phase current and that's what I got from the charging point and you can see here there's a triple charging point in Kaiserslautern and the wire that goes to the side to the car, that's the standard alternating current charging. There are two other ways, that's direct current, that's Shademo from the Japanese and that's a charging mode where the car and communicates with the charging point of the can bus and the DC charging is, the advantage is that you don't need to have the alternator but you can leave it in the charging station and so there can be a big alternator, even a heavy one can be in the charging point and the cars share that device and it also means that the charging point needs to communicate to the battery and that goes over the can bus and that's Shademo, the Japanese variant and the German car industry has a different standard and well they made up and it's called CCS, it's a combined charging system and there's a power line communication between the car and the charging point and they both talk about IPv6 and today I'm not really talking about DC, what I do today is about AC and I have two charging points here and the reason is simply they are cheaper and such a triple charger from ABB it's about 30.000 Euros and that's the equipment I don't really have available so I have these relatively small charging points that I brought along today. Another word for my car adapter, this is this one here, it's on one side, there's the type 2 plug and that's really a three-phase current plug with some communication and in the end it's really just three-phase current and in the middle is a little circuitry in this box and why do you need that and if you go to a charging point and connect your car to that and you have a problem that there's a protection conductor isn't there because your car is on rubber tires, it's insulated from the earth so all the electric protection measures such as residual current protection doesn't work and so it's always grounded via the charging point and the charging point always checks the grounding so there's a protection conductor, surveillance and there's a small charging control system and the charging point can tell the car please don't draw more than such and such amperes otherwise I'll shut you down and as has always been shown in the films I really only use two switches one is this one from Autodar, it's not really in the car it's always on in reality in the car but in my test box it has been added so I can separate the car from the charging point without undoing the plug and the second is the charging request with that switch the car can say to the charging point I need current please turn it on or my batteries are too warm I need a break please turn off the charging current and that's all that happens and the entire thing is described under this URL and please build it yourself it's a very simple analog circuitry but always always know that you have three fast current up to 380 amps and it's very dangerous and can kill you and it hurts a lot and and you're talking to someone who knows about these things so why am I interested in this I'm working at the Fraunhofer Institute for technical and economic mathematics in Kaiserslautern and we decided on this center to make a charging point for for employees here and this looks like a carport and there are 12 charging points and employees can charge their car there and this seems to work in the civil service we we need some way for making the bills to the employees so that they can pay and we need some infrastructure and process for that and if you talk about billing for electromobility then you very quickly arrived by at this protocol that's the open charge point protocol and it's a protocol that's originally has been used in all public charging points really it regulates the communication between between a management and billing back end on one side and the charging point on the other side and the most charging points there's the protocol version 1.5 it's based on HTTP and XML and it's relatively old it's from 2012 and there are successes to that but they are not really in the charging point they haven't really been implemented so this is currently the state of the state of the art so how does it work I started reading this protocol specification and for example when starting a charging process and want to begin this following happens the charging point that's my that's my charging point my box and there's the central system that's the management and billing back end working in the background and I go there with a charging token and what's that I tell you right away and now there's the charging point sends the authorized request to the central system the central system looks at it and says okay he's entitled to charge and when the charging process starts and the car starts drawing current there's a second message that's action request and and it needs the charging token again and the counter value from the from the measurement measurement device in the charging point is transmitted and that's how it works and if you look at the authorizing request we find that it's from the whistle schema and the authorized request is just a sequence with one element and that's the ID tag and this tag is used exactly once and has the type ID token so so good so far so good and if you look at this ID token you find that okay this is just a string with a length of 20 and it's about 20 minutes thinking about it and reading in it was enough to find that it's it's really just not what I expect of a billing solution I had expected some signature and some challenge back and forth and some negotiations and something at least something where both sides the back end and the charging token do something and negotiate something but this doesn't happen it's simply a string which is transmitted and if the string has the correct value then I can get current so I started looking at this charging tokens in detail these are two or several from from two companies one is from new motion it's nice because new motions just just sends you five tokens if you if you fill in a web form and there are two variants one is a key fob and one is a charging card and the thing you see in the foreground that's my charging card from the municipality of kaiserslautern and they have a network called ladenets and bought it from there if you have from your municipality some of them a card like that it's probably from the ladenets because almost all cities use that um it's a army knife basically so this doesn't have the full full range but this is basically enough to to use it as a something else is the chameleon mini which I use to simulate a charging card in general these are just reading reading devices and simulators to to simulate an nfc card mark tells me well tell me what you what you know about this card just reading so there's a uid i changed this to bad so that's usually some kind of hexadecimal number this is the charging card number I wanted to use real data but this is basically I wanted to to use this and I decided to use bad um some already smiled because the the charging card type is my fact classic my fact classic mind might ring a bell because we had a talk about this 10 years ago by castan nola and replets who showed us that the crypto the property proprietary uh crypto and the cards is broken well it's 2007 and into 2010 there were quite a few publications about this topic and nowadays it's too simple simple to read my classic and to simulate it because all the crypto implementation is broken so I looked at at the card a little closer and as you can see you can't see anything so this is one of the blocks on the card so there's just zero written in it keys and the default allowances so this is basically everything I have the only thing the difference is the uid the small rectangle up there and everything around it is just manufacturing ids and some bits we don't actually need and we can ignore it so such a charging card is empty and to to tell them apart you use the card number basically so this is kind of strange because all this card number is used to for example if you put your your your wallet your wallet onto a onto reader there's there might be more more cards than one in your wallet so this iso norm it has this so-called anti-collision loop so that a card reader can number all these cards and can say well card five I want to talk to you and it all the others have to be quiet so this is an NFC list this is a different tool I wanted to use to read the card this works pretty good well the first one has the following uid and the second one is still my bad card so that's what it's made for basically so to summarize this the management protocol of the charging infrastructure is based on authentication authentication on a string with 20 characters the only thing that differs is a publicly readable not non-crypto thing that you can read anywhere and this number is used to to connect your charging process to an account well this is pretty bad in my opinion so I just copied a charging card this is my own one I charged on my account so I used the chameleon mini for this to tell it well just make just make sure to disguise yourself as this card and with this ID the bad card and I just flashed it onto it and I have a battery and just can go to a charging station and that's what's happening here I put the card in front of a reader the charging station tells me okay connect your car I plug in my my adapter okay I tell the car to I tell the system to to pretend the car is there and the system tells me okay everything's fine just charge so this is charging green well yeah so with pretty simple measures I can copy a card and maybe you can even guess charging cards because the token numbers of five five subsequent cards are just differing in a few things I haven't tried this by the way it's just some hypothesis I have I can't prove it but there's pretty pretty simple measures to to get these numbers so just just to make it sure you just need this number so you can charge no matter where you get it from well I can just use an android smartphone and the 30 cent my fair classic china my fair card I can make my own charging card basically that's not really expensive and you don't need the chameleon mini so new motion charged charged for this well I was in gensing there's three charging processes and I had 15 euro cent because I stayed there for six minutes so I didn't really use power but I was there that doesn't only only touch new motion it touches all charging services around I tried new motion bmw charge now evald and ladenets and charging cards from ladenets so if you have an electron out and card from from a different provider I would just say that all these protocols roaming protocols they just use the string to identify yourself and that's the whole industry so if you have a charging card somewhere well yeah that's too bad okay this month is this this wasn't this is not an online procedure so evald only only charged me in a batch and and and communicated them to new motion after a month and and maybe you only know after a month um that that someone misused your charging card and of course then as electric vehicle driver then you you have a problem because you need to challenge the the bill and what does new motion say it's uh as an example there's a tweet here and and at no time there was no at no time there was any danger to the public and we take it seriously and well two months before I before I published the first part I tried to talk to new motion and with other charging card issuing companies and and I didn't get beyond customer support so there's no no email security at new motion or something like that where someone reads someone's reading it you can you can really evaluate it from a technical standpoint and so there's a little overview here we have a charging point and the charging card I crossed it out because it's it's it has been uh has been known bad and there's a back end from the charging network from the charging point that is in use currently and there are other companies and there's a roaming protocol called ocmi and they are connected to each other so just let's look at the ocpp in some more detail this is this is a charging point from haka and I have one here it's that's what it looks like it's a little box it's just a demonstration piece that they lent me and please don't don't uh don't extrapolate from this cabling from a real one it's just not about product quality from harga but what I like is from the electrical safety standpoint I quite like it it's it's really clean and it really works very well so in it there there's there's they are coming from installation racks building installation racks there's a there's a bus bar and there are clips on it and there are relays and there's auxiliary relays and cable protection switches and everything and on the upper part you can see you don't see the card reader because it's behind the circuit boards on the on the right hand side is the charging regulator that's about safety checks and electrical safety and everything works and in the end turns on the charging current on the left side you can see a little arm based linux system there's some python stack on there and communicates to the outside world over the ocpp protocol and on the lower left there's a network cable and that's normally the the connection to my mobile modem built into the charging point and you can see it's a modular system and that's because the manufacturers almost all of them use different hardware variants from their charging points and some can communicate and the others don't really need that and simply don't have a communication module what does it look like so if i boot the charging point it's just a simple ac plug it's just my desktop setup and an led lights up and my ocpp implementation that i wrote for testing purposes it takes a while and then there's a boot notification request and various things here for example hey i'm a harga witty park and i have this firmware revision and well there may be more fields there but i didn't implement them and there are two status notification requests because this charging station has two charging ports is the type two and below that is a simple ac plug and both are in the state available that simply means if you go around walk around with your handy app the smartphone app can see if the if it's used in use or if it's free that charging point that's what it's for so this charging start of charging there are two requests two messages authorization and transfer authorization and we look at that i plug my electric vehicle into the charging point it's a bit hard to do that because the they are waterproof and put on my charging card and my back end receives an authorized request with the id tag bad and my back end accepts every every card so it's auto accepting it's what it says because the back end says it's valid it's a valid token you can continue and okay now thanks all right loaded token charging token and there's the next message and this is notification there's an electric vehicle is connected and availability the availability in the smartphone app would be updated then and there's startup action request that's connector id one that's the type two plug and the id tag bad which i used in this case and there's metastar it's zero normally there's a counter value but in this in this charging point there's no counter because i don't need that for the demonstrator so okay and now i can go there and turn on the current and if the car says i'd like to get charging current and then the current is turned on as you would expect and the problem is in at this point at the point where i looked at the network communication in more detail and normally these two communicate charging point points with http unencrypted http and the argument of the the manufacturer is we use a separate apn and nobody can get to it and we don't need encryption and well i could just open up the charging point and inside the charging point look at the look at the traffic and network traffic it's trivial if you have ngrab or something like that network grab tool to to make a print out and it show me the charging tokens and extract them from the network traffic and that's what you what you saw just before between charging point and central system as the communication goes by http you can configure it in a way that it does https and i simulated that while making a secure tunnel between that and i an s tunnel and i gave gave it a broken certificate self-signed certificate but the charging station said oh that's fine i i now do encrypted communication and i'm all secure and you just need to do a man in the middle attack and there there's really no effective encryption in this system i just skip this one it's funny that in a way you can just also do remote control of these things but i don't really have time for that now but but you find find these things on on showdown and so there's a mobile mobile phone apm not everybody implemented that really but please don't don't don't mark with that if if someone if you disable it someone is really there and can't drive home and that's really you have to be careful with that when when playing with it just say okay ocpp just cross it out and look at the charging point itself so i don't know if you noticed but if you open it and look what's inside you will find usb ports everywhere and on the right side there's this harga station the left side is is this kebar station kebar p 30 and which really is quite capable and the usb port is for service technician and can do a software update or change in configuration something like that okay what happens if i put a fat 32 formatted usb stick and it makes a lock file and there's a lot of information on that so what kind of hardware is running which revision and and thing like that so i put in an empty usb stick and and then i have this this lock file with these contents on it and i also get the network configuration and and what's even more what's even greater i get i get the access data and the public endpoint of the ocpp server so okay yeah it's uh it's really there just loosen two screws open it and put in the usb stick and you have all the information you need but it gets better i can edit this file and can can put it back and it is taken over as the new configuration i have to i have to know how to rename the file that's the only thing but that's that's in the manual so that's that's fine okay i just mentioned it in the end in in two minutes you can you can read out the charging point completely look at the configuration can think about what how you can make an attack on the network infrastructure how you want to if you want to install a raspberry pi in addition and there are infinite degrees of freedom and you can't turn it off on this charging point it's just a feature that is implemented by the manufacturer and that's just the way it is with keba that's the other one one it works similar in principle so you can turn off the the update of the configuration but but i still can can update the software also with usb stick you create a subdirectory upd and copy the firmware update file there that you can download from keba and copy it there and plug it into the charging point and this and the the charging point makes a software update which is very convenient for the service technician and if you look at this update package you find that it's just a zip file and there are files in there which um well you can perhaps modify and you know of course i did that and i plug in my usb stick and i'll do it live here in parallel and there are some messages usb updating i found a usb stick and i and i update the software and just uh it just unzips the zip file and there are some scripts in it that are executed well of course you can have a lot of fun with that and for example you could you could show a message like that and you can also do that via the udp interface just like that and you can get at those functions in another way and what happens here is that a script that i wrote is is executed and that's on the local file system but what you didn't see here and i hope that that worked in the background here is is that um there's a shell popped up so i have a network connection and there's a router and a network connection over this network cable to my computer and it's a k bar 430 with a k bar p 30 with a halfway recent linux and i'm rude yeah yes what what what else can i say how did that work very very easy as i said this kb file is really a zip file there are some scripts inside for example the install dot bsh there's the entry point for the update it's a bean shell file it's just some sort of java shell i have no idea what it is but but it just modified the existing update scripts and in this install dot bsh there's a little environment um made up there and some i'm i have some tools at my disposal there and just in the in the sub directory i call some other bsh files and i just have a made up from from the k bar files that that k bar delivers there's a reverse shell and via string cod concatenation i make my own shell scripts i write that to the to the hard disk and i started and the whole update process uses no authentication whatsoever i told told that k bar and they said oh they they knew about that whole and they closed it and i couldn't verify that yet because i um i got a changed version from that haven't gotten that yet but so if i i think that if you find a k bar charging point somewhere i i guess that it might still be vulnerable to this problem and in the comments of the update packages in this bean shell i saw that in the future maybe um they want to use an encrypted zip file so maybe it's password protected but that also means that the password itself has to be stored on the charging charging point otherwise it wouldn't be able to check if it's a real update so i don't know if that plan is really very good but really is it's a debian based system and debian really uses a solid package management so you could just use the package management and that's already there already there so why invent something new well what can i do on the charging point so this is really the script it's a pdc display parks and that displays the message on the charging point it's not very exciting but there are some other scripts that i change configuration or make other things with the charging point what's more interesting is well what else is stored on user data and you can the the previous charging tokens from the previous drivers have charged charged there you can just get it via grep from the log files they are unencrypted and so the exploit is quite obvious i just make a usb stick put it in the charging point and as root something is executed and i just do my grep file in this bean shell and write back the results from the grep onto the usb stick unplug it and go away and maybe i have the last 100 valid charging card numbers in the file i have to say i have to loosen six screws to get to the usb port that's not a real a real problem for someone at night within two minutes much more problematic is the scenario what the charging point owner could do because he has access to that and can get the charging point charging card numbers by attacks on the charging point and collect the numbers make an ocpp client simulating charging uh processes and simulate charges that actually never happened so i make for myself an additional income and as a customer i have a problem that i have to challenge that bill and someone stole my card number and what do i do and i don't want to pay for that etc etc but it doesn't stop here there's a method called auto charge from abd the fast charge system they are offering public charging stations and they want to to spread this system auto charge works as such as i have a ccs vehicle with a dc charging uh process and instead of using x the special certification structure from ccs you're just taking the MAC address of the car as an authentication method so the 90s want the access control back there's no matter where you go in charging infrastructure there's so many serious issues that is really sad so let's add this up charging cards are broken because because they're using a public public public id occp is broken because there's no clean handshake between structures the charging systems are looked at well pretty broken as well so i just want to talk about things on my desk so i can't tell you about the quality of the charging compounds but it would be interesting to do that basically so there's a there's a retiring going through all this so there's a lot of problems with the with issues so the the providers are telling me okay yeah we have security and everything is fine and we don't know about abuse but that might be because there's not not too many electric vehicles on the roads so it's not really a big infrastructure we have yet on the other hand if you have the going electric forum is special special discussion board for users of electric cars they are telling us well everything is fine everything's good nothing happened yet so we don't have to talk about it that's not really a good good way to handle this problem because this is touching the whole infrastructure so but we should say well yeah we have issues and we have to solve them so that's basically what i want i bought an electric car next year i want to charge at a loading charging station easily without having to think about safety whether someone can steal my card data whatever i just want to trust the structure and i don't have this trust at the moment because it's there's too many problems and too many conceptual problems that don't only touch the the the providers but also the whole industry so let's just do it better just get together and talk about this and make it an open source project with a better implementation where all these issues are resolved basically thank you well that was great i well it's i'll take alohut as a compliment we have 15 minutes for q and a so that means anyone who has a question even the internet there's a few questions there they can use a microphone and i'm trying to coordinate everything whoever has has to leave the room just go go out on the right and a new feature the exits on the stage tops you can actually use them and they seem to be quite comfortable by the way so we're starting with a question from the internet from the signal angel yeah the internet wants to know if you have cared about iso 1508 and if you want if you know about the security of that unfortunately i really don't know it in any detail as i would like though i would like to the 15118 is really what's behind the ccs system and is used there the problem with iso standard is really that they are very expensive if you want to buy them and another problem is that neither do i have such an expensive charging point nor an electric vehicle that works with that but i'd really love to look at it in more detail yes so please so internet just donate him a tessler crowdsourcing mic three please hello i have kind of the same question the problem is the compatibility to all the cars because the structures were so easy because the cars are so easy so i guess it might take centuries to remove all the old charging stations is there is is there anything anyone who has talked to you so my subjective impression is that it's just a loose collection of technology and i have heard through the grapevine that the card numbers were the only thing that we we could could agree on not not we thought there was a great solution but it's in the future it gets it'll get worse when there are more electric vehicles there there'll be new technologies and perhaps i have an old car which can't get a new update of the ccs stack and so can't be charged by a dc and i think it's it's going to get worse so internet question well the internet wants to know whether that's certification from bsi for example like power meters so there's there's currently no no regulation in this area there's no no checks and no assessment for security and safety the federal federal office for electricity metering says that we need a certified smart meter gateway in the charging point but it which is so expensive that that it wouldn't amortize amortize so the so the solution for the charging point um the way they they do it is now that you just just charge by time and not by current so that's why i had to pay for new motion for zero kilowatt hours but for six minutes and so there's no regulation really and i don't know that that it's in the making the market the market will do it microphone for please and thank you for your talk you have all these devices i guess is it possible that the missing hcdpx and the stuff no this is this is the real hardware just in a different box but it's really production hardware that that is used in in deployed stations and this is a station that we bought with institute with the fraunhofer and this is not demo hardware it's the real thing so i might have misunderstood that because you have shown this and well this doesn't didn't look as no just because it's a different box right yeah so the signal angel the internet well that's a comment you you would have to stick a contain cyber thing on the box so phillips head or phillips head so that's isn't that the same thing so one is phillips the other is phillips i don't know now that was easy microphone to please i'm one of the developers of nsc gate and ideas and everything and we are searching for hardware using my fact classic can we play with your hardware oh yes sure sure knock yourself out use a public public charging point and they'll expect my fair classic can we try it on the congress can we try yours on the congress why with my charging card talk to me and we'll find find a solution and i don't know if i let you read it but we'll talk about it not that a i just drives us somewhere the internet or the internet wants to know well they're actually uning linux so whatever you talk about custom hardware what's all about licenses and do you they have to to give you the code it's a good question and i really can't tell you now but i assume that it's it's based on open source components and we'd have to take a closer look who's linked to who and maybe there's jbl jbl licensed components or well i don't i don't really know at the moment well number three please i'm one of those projects giving i giving out ideas how to do it did you have any contact with them so now there's i think that's that's interesting we should we should email and because it would be the mechanism to to make it a little more sense well and that's that's a different thing i want to talk to you later well internet question again the internet wants to know how can we can charging station users save themselves what can we do so some companies say you can use our infrastructure with a smartphone app but i haven't looked at the smartphone apps so maybe security wise they're just as bad i don't know but there's that's one option if you if you really don't want to use the card the charging card but if in doubt maybe in the worst case you just know after four or six week weeks that that your token has been stolen and is used somewhere else so it's it's really about how the how the company handles it if they cancel the bill or or something there are there no experience with that and there's a lot of uncertainty and that's not really not really good for electromobility as a whole microphone please hello is it okay to ask a question and they are asking in english from Robert University in Nijmegen and we are working with a few dutch charge companies with a few dutch charging companies thank you for shredding ocp for shredding ocp my pleasure could you also shred 1.6 and have you already looked at 1.7 it's not done yet but i've seen it they've actually seen chapter one tls chapter one tls security requirements and everything but have you seen that i didn't have a look at it i know that 1.6 is basically 1.5 with a little bit more functionality and it's just 1.6 is just 1.5 with with a little bit in addition with jason with regard to 2.0 2.0 look at it i know that it's now didn't look at it publicly in the review process so i definitely will have it's in review process but i but we'll have a look after after comment i was surprised that so many people were interested in the ISO 15118 if anyone has any questions about that i can i can talk about the security implementation i worked with standardization for that and if there are any more questions i can do that yes and we should talk yeah any questions from the internet signal angel there's one upstairs microphone six there's three people basically hello in the back okay so i'm involved in the back end area the provider that was mentioned it's actually really as bad as you said we had all this in 2012 with the hardware providers and the customers but there's no interest in this to make it better yeah well then we hope that that interest interest will grow with time so i'm sorry for the people at five and six you can talk to matthias in person there's many interested customers in this room thank you to our speaker