 Hi there, thanks for attending our talk. Our talk today is remote routine charging station for fun and profit. And you will be presented by me and my teammate, Bakut. We're going to share our back hunting experience for Schneider at TRECO charging station, EVLink. So who we are? I'm Kevin 2600. I'm a security researcher and I love breaking stuff. And this is my teammate, Bakut. He's a security engineer. He's also the founder of ReptDNS.io. For the past few years, we have focused on vehicle security. For example, we have successfully demoed the NFC key for relay attack for Tesla Model 3 last year. And for this year, we have found three Bucks for Schneider at TRECO EVLink charging station. And one of them is scored as the most critical buck. So here are the contents for today. First, I'm going to do a charging station 101. I will be introduced, how does it work? And why do we need to concern its security? And then I will walk through some of the interesting case studies from the other security researchers on charging stations in the past. And eventually, Bakut, he will share the whole story on how we got RCE on the EVLink and what's the impact can it be once we got in. So charging station 101. So why charging stations, right? A lot of people talking about vehicle security nowadays, they usually refer to car itself. For example, they will talk about how to reverse engineer can protocols or can we sniff in the TPNAs, TPMS for the tires and if we can hack the key fob systems and get into vehicles, but let's not forget, there's something called V2X communication and it's also played a very big part in the vehicle network. And the X, V2X, the X can means many things. For example, vehicle to vehicle, V2V and vehicle to infrastructure, V2I. And also for the charging station, V2G, V2G, okay? So for V2G, they usually reverse connection between the car and charging stations. So when you go to a charging station, you usually talking about you to interact with the SCADA system behind me or something like that, okay? So I think we are nowadays won't feel any strange to see a charging station around you because they are everywhere now. And this is just a map to show how many charging stations are around the Chinatown area in the Vancouver, Canada. See, I took this picture from an open source, open charged map, the IO, and you see, we already see many, many, all right? And also, this one gets from a charging point map. And can you see how many of them are in a state right now? Amazing, right? So many of them. And they not only exist in the real world, we can find a lot of them exposed to internet too. As you can see, we can easily find a lot of them through some search engines. So for example, with the help from Shudan, we can easily spot a Tesla power pack system. Yeah, I've seen, not many, but there are systems. Also, if we were searching for OCPP, which is the protocol specially designed for communicating between the charging station and the backend server, we can spot many of them on internet too. So this is what a charging station looks like in the real life. As you can see, it can be different forms and sizes. But for example, this one is usually for a small residential area and this can be for just commercial use, okay? But regardless of the size of forms, they all got plug connectors. However, each country has its own standard, even for coming like Tesla has even implemented their own version of connectors. And charging station usually use 10 protocol to communicate it with BMS system on a vehicle, which is for Stanford Bachelor Management System. But in Europe, they're using PLC, Power Line Communication to talk to the BMS with TCP IP. So yeah, they actually got IP address, right? Pretty cool, right? Hi, Chris. And there are network server in the backend, right? So to take care of payments or any other service that a customer may need to deal with, right? So it's actually a whole lot of the, it looks like actually IoT network, but it's bigger, right? Okay, as I mentioned earlier, charging station can use OCPP protocol to talk to the backend server. And the latest version of OCPP relies on citizen for messaging. And this is great place for us to do the forcing attack, right? So maybe we can force in some specific area to find if there's any bug. Okay, since the charging station, it just embedded a system and has provided many services. So the more services they provide, the more possibility we can attack them. So here are some of the tech betters I can, I think we can try on. So first, we can try to reverse engineer their applications to try to find if there's any API interface exposed to. Also, since they have the cloud backend server, maybe we can try that on too. And like I said, the charging station itself most likely embedded system, they probably has a bound to other Linux system. So yeah, Linux system we can try. Also, if we can take in part, we may find some debugging port accessible like ZTAC or UART, right? And usually the charging station has some a wireless connection with it. Like BLE, Wi-Fi or like 4G, 5G. And when talking about a payment, they probably using RFID. And yeah, RFID is also hackable too. And as I mentioned, the vehicle we were using can or PLC to talk to the charging stations. Maybe there's a way to hack it as well. So back to some question we asked in the very beginning, why charging stations? Because I think they are already everywhere and they're less expensive than cars. So buy a car is usually cost a lot of money, but it's much cheaper if we're just talking charging stations. We can buy a brand new one and start from there. And right now, when we do the research, we didn't let us feel but not many people focus on this area. So less attention, maybe that means there are a lot of bugs for us waiting for us to discover. So yeah, more functions, more tech factors, right? So charging station case studies. So for the first one, is the one from CIRC Control, a company called CIRC Control, they report on CIRCLE car life. This is not new, but rather years old. However, we still can find lots of them online. You see, when we simply search for server CIRCLE car life, we find 2,932 of them already, still exposed online, right? So currently there are multiple CVs under CIRCLE car life charging stations. For example, it will leak username and password information like here from the log file without any indications. So this is not a set, right? So many years and they still not fix it. Okay, on case number two, there's multiple devices made by a, sorry, there's a main middle device made by a secure researcher and it can be used for sniffing an inject package between cars and charging station through PLC. I think this is pretty cool. He has also released a tool to help us to cope the pocket. So if you're interested in research on, you can try to this website. And even better, he also released another tool called a 32G injector, which can inject the pocket into the cars and charging stations. However, this come from for that. If you need to, you have to be in the area that support PLC. For example, in most European country are supporting them, but if you happen to be in China, you usually facing the charging station only accept the camp locals. So you will not able to do this kind of research. Now, this is another interesting research done by Tencent Blading. They found this design flaw within a charging station payment mechanism. The way this payment mechanism work is the first, our car, like for example, the BMS will transmit the wheel code win number to the charging station. And the charging station will transmit this win number all the way back to the charge, the backend server. And they do the backend check out there. And then once they also like you, they will send back their credentials by the win number, all right? And once they know you are a legit user, they will start charging the payment accordingly, okay? Now, this is like, this is called a plug and charge. So, as I mentioned, since the vehicle in China using camp protocol to communicate with a charging station, so the building what they did is they built a camp made in the middle device called X charger. So basically they build one device based on a Raspberry Pi that can sniff the camp protocols in between them. So main and middle attack, again, but for the camp protocol this time. So, with help from this device, they can capture all the camp traffic between the car and stations. Now, what they have found is that some of the station in China using, as I mentioned earlier, they're using win number to authenticate a user for a payment purpose. Now, however, it's a win number. It's easily replaceable during the whole process. So, they can simply replace the win number with different cars. So, the other people will pay the fees for you. So, free charge, right? Pretty cool. And also, it's nice they had done research on the Tesla. Now, they found the Tesla charging station actually using their private protocols. So, we still need to have to find a way to reverse engineering the entire private protocols. If, so, I think this is a pretty good area to dig in more. Now, the last case, case four, this is an interesting case found by us. The story is we know that one of the popular charging station companies called Charging Points. They did that in, by 2025, there will be 2.5 million EV charging stations bought by Leng, right? I think this is a very popular one in Vancouver and across the country in the States as well. So, the story is very simple actually. One day, we choose to reverse engineer the mobile application from them. And in the end, we have found a simple refracted cross-size scripting bug for their backend server. They are using some kind of WAF system, but however, we find a way to bypass it. And we, right away, as a ethical hacker, we report them the bug to the company and with the full details, discourage it. So, end of story, right? No, turns out the Charging Points security team takes security very seriously. They have rewarded us a $1,000 for a bounty through hack one. Well, $1,000, right, just for Chris cross-size scripting. I mean, pretty cool. We cannot be happier. So, yeah, big thanks for time up for the Charging Point team. Yeah. Okay. So, now my teammate, Bak, he will walk through the whole journey of bug hunting for Schneider Evelink, okay? I'm back. Now, I'm going to share our journey of bug hunting for Schneider Evelink. This is my first time, please bear with me. First, I'd like to make it clear. Our main goal here is to guide routes and achieve RCE on the target target. And we are lucky. We might overgo and we're assigned three series from Schneider in the army. Also, the reason to trust to research on Evelink is because the firmware can be easily downloaded. From Schneider website. And there are a certain amount of Evelink device I exposed to the internet. So, the first step is to do some recall for our target. And as I said, we can follow the firmware directly. The firmware is a top view, top file. It includes file selects as part or made EVIC base made file on the other binary files. Based on this file, we can find that the target is on based device. And from your board file, we can find the board rate, through IP under some other configuration information. From our image, we know the kernel version and the entry point address, which makes it easy for later reverse engineer work. So, now we learned the partition structure of our target. And we have tried to correct the root hash inside the shadow file, but it failed. When they started to reveal the web manager interface, it has many functions such as log files, open parts and the firmware updating. Also, the path of a web application and the EVIC circle database file. Here are some open source component that Evelyn is using. And interestingly, we found two hard-coded secret accounts named Open and Schneider within their circle file. And they have been removed from the latest from web. After, we have done the recap, time to hunting bugs for warm up. We start with the cross-site screen and discuss as our first city, however, this won't have us to guide us in. So, let's try harder. We then move on to reversing the binary file, CGI server. We located some useful keywords as a S call and this is useful for us to distinguish different functions. We also found some web paths from CGI server file. This may be useful for later funding attack. Eventually, we have looked at an interesting function within that function. We found a hard-coded CR tokens and these tokens can be used to bypass the login authentication process. Continue to analyzing the login process. We found that was log assist size. So probably parameter meter way one, five, three way will become true. And this is the same results as using hard-coded tokens which confirm the last tokens can be used to bypass the attack. Once finally, and by the secret token within our request, we can successfully bypass the login authentication. So, now we need to find a way for RCE. After we searched the exe server, we have looked at the hard-coded EPKK and this key is used as signature verification for firmware. After we read the EPK install file, we found that the firmware package can be easily forged. As long as we build an installing package with hard-coded EPKK. As you can see, rebuilding a new firmware package is very easy. We can put our own reverse trial payload into the firmware package in order to trigger the bug. We need to upload the backup version of the firmware. As you can see, once the payload triggered, we got our root shell missing completely. So, now we got RCE work. Let's write a working exploit in order to do that. We first need to know the process of updating firmware under some parameters like final id and we can use workshop capture outlight. Once we know the entire updating process, we can draw a flowchart for developing exploit and have the payload ready. And of course, we need to pre-read the security token for the cookies request once. We got all the needed information. The exploit is ready to go. Now, you may ask, what can we do after got RCE? I think most people will like to get a free charge, right? But there are more. For example, it can be turned to bonus for DDoS attack also. Also, it can be a breaking point for the enterprise network and since it has decided to be MIS on the record. Maybe a way to surprise RCE on wall focus. There are some examples for creating to an internal network. This charging station is also part of the university network. And on this charging station, also running a building management application with a different part as well. It has more functions to manage the vehicle charging system. So after we found those bugs, we have reported them to the slide. They had fixed the 13 bugs in total for the EV link product. And released the adversary last month and assigned us three CVEs. So we believe that more trans will bring more attack vectors. Vectors on the charging station or V2X has got a huge potential for security research rates. Thank you.