We recently announced the rules and targets for the upcoming Pwn2Own Automotive competition. As we look forward to the event, we thought we would review the attack surface on some of the targets. We begin with the ChargePoint Home Flex – a 240-volt Level 2 home charger that delivers up to 50 amps of power.

---

The ChargePoint Home Flex is a level 2 electric vehicle charge station designed for use by end-users in their homes. The device has a minimal user interface in its hardware. The device employs mobile applications for both the installation and the regular operation of the equipment by the consumer.

ChargePoint Home Flex Attack Surface Summary

Broadly speaking, the attack surface of the device can be broken down into three categories.

1.     ChargePoint Mobile Applications
The ServicePro application used by electricians during the installation of the ChargePoint Home Flex unit offers one avenue of attack.
The ChargePoint application used by end-users when configuring and using the ChargePoint Home Flex also provides an attack surface.

2.     ChargePoint Home Flex hardware
The device includes an embedded Linux host that communicates over Wi-Fi to hosts on the internet. The unit also contains a PCB based around the Texas Instruments MSP430 micro-controller. The wireless communication PCB is based on an Atmel CPU. Finally, the JTAG interface is accessible via the wireless communication PCB.

3.     Network Attack Surfaces
Software patches to the device are provided via Internet-based over-the-air (OTA) updates. The Bluetooth Low Energy (BLE) endpoint used by mobile applications for local communication could provide an opportunity for attack. Any Wi-Fi communication with a local access point opens the opportunity for interception and manipulation. Finally, the device implements the Open Charge Point Protocol (OCPP). Any deficiencies in this protocol would be inherited by the charger.

Prior Security Research

The ChargePoint Home Flex was the subject of a security assessment performed by Dmitry Skylar, a researcher from Kaspersky Labs. This review was performed in 2018, and the results were published in a paper, as well as a presentation at a number of security conferences. The slides can be found here.

ChargePoint Home Flex Mobile Applications

ChargePoint distributes two applications for use with the Home Flex charger. Both applications interact with the ChargePoint Home Flex over Bluetooth Low Energy (BLE).

The ChargePoint ServicePro application is intended for use by an electrician when installing the device for an end-user. This application is written using the React Native application development framework. This is a JavaScript-based development framework intended for cross-platform mobile application development.

The consumer-focused ChargePoint mobile app is intended for use by end-users to manage their charging preferences.

While we did not thoroughly investigate these applications for vulnerabilities or other bugs, problems in mobile applications have been used by threat actors in the past and represent a significant attack surface. Even though the mobile applications themselves are out of scope for the Pwn2Own Automotive contest, they should still be thoroughly reviewed by the research community.

ChargePoint Home Flex Bluetooth Low Energy

The ChargePoint Home Flex uses Bluetooth Low Energy to communicate with mobile applications. Trend Micro researchers used a custom BLE scanning tool to enumerate the endpoints made available by the charger.

The following service is defined in the BLE spec:

— BLE Service Device Information
— System ID: 
— Model Number String: CPH50
— Serial Number String: 
— Software Revision String: 5.5.2.5

The researchers observed the following BLE services and characteristics when scanning the device under test (DUT): 

— Device Details Service 274BC3A3-1A52-4D30-99C0-4DE08FFF2358
— Get/Set PowerSourceType: Characteristic 8D4D6AF5-E562-4DC7-85AD-842FBF321C87
— Get/Set PowerSourceAmps: Characteristic F24F7C35-A5FD-4B98-BCA5-50BB5DC8E7CD
— Get/Set Apply Settings Status : Characteristic 5597DD46-7EDD-40CC-9904-B6934DC05E19
— Get/Set UserId : Characteristic E79C86D4-8106-4908-B602-5B61266B2116
— Get/Set Latitude : Characteristic 85F296FC-3152-4EF0-84CB-FAB8D05432E4
— Get/Set Longitude : Characteristic 9253A155-701A-4582-A0CF-5E517E553586
— Get/Set NOSStatus : Characteristic C31D51E5-BD61-4D09-95E2-C0E34ED1224C
— Get/Set Power Source: Characteristic C1972E92-0D07-4464-B312-E60BA5F284FC

— WIFI Service DFAF46E7-04F9-471C-8438-A72612619BE9
— Get/Set NextWIFIAccessPoint: Characteristic E5DEBB4B-4DAC-4609-A533-B628E5797E91
— Get/Set CurrentSSID: Characteristic EB61F605-DED9-4975-9235-0A5FF4941F32
— Get/Set WIFISecurityType: Characteristic 733ED10A-CD1B-43CA-A0C2-6864C8DCF7C1
— Get/Set WiFi Configuration: Characteristic 25A03F00-1AF2-44F0-80F2-D6F771458BB9
— Get/Set ApplyStatusCode: Characteristic 3BE83845-93E4-461E-8A49-7370F790EBC4
— Get/Set Always Empty Response Characteristic: Characteristic CED647D7-E261-41E2-8F0D-35C360AAE269

— Unknown Service B67CB923-50E4-41E8-BECC-9ACD24776887 B67CB923-50E4-41E8-BECC-9ACD24776887
— Get/Set Always NULL Byte Characteristic: Characteristic 7AC61302-58AB-47BA-B8AA-30094DB0B9A1

Trend Micro researchers performed limited probing of these BLE endpoints using a bespoke BLE scanner. In addition, Trend researchers performed reverse engineering of the end-user ChargePoint application. The names identified in the above listing have been inferred from the understanding of the Android application code.

ChargePoint Home Flex Hardware Details

The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board.

The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply, and it also terminates the charging cable that end-users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silkscreen markings. It hosts an MSP430 microcontroller.

The CPU board hosts an ATMEL Arm CPU, Wi-Fi radio, and Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings.

Here are some images detailing the ChargePoint Home Flex Metrology board and CPU board:

ChargePoint Home Flex Embedded Linux

Prior research performed by Kaspersky Labs indicates the charger uses the Linux operating system. The charger hardware has a board identified as the “Panda CPU” board, which implements all the accessible attack surface on the charger. The hardware comprises an ARM CPU, and the device provides a JTAG debug header. Prior research showed this JTAG header could be leveraged to obtain shell access to the charger.

During a preliminary assessment of the charger, Trend Micro researchers used a captive test network to interrogate the ChargePoint Home Flex. The test network had a Wi-Fi access point running connected to a network running a set of services configured to simulate the services the charger required. This network has a DNS server configured to respond to all DNS A-record queries with an IP address from within the test network.

During testing, the researchers observed the DNS queries made by the DUT and configured the DNS server with all the observed host names it attempted to connect to. Additionally, the test network includes a web server configured to respond to the web requests made by the DUT. The DUT has made DNS requests to the following domains:

        ba79k2rx5jru.chargepoint.com
        homecharger.chargepoint.com
        publish.chargepoint.com

The researchers noted that TLS connections initiated to web servers failed to establish due to the TLS certificate authority mismatches. The enforcement of TLS certificate authority matching is a security benefit.

The ChargePoint Home Flex connected over SSH to the server ba79k2rx5jru.chargepoint.com on TCP port 343. The research network included a permissive SSH server that would allow authentication for any user. When the charger initiated a connection to the permissive SSH server in the test network, the researchers noted the SSH client from the DUT initiated a TCP port forward from the SSH server back to TCP port 23 on the charger. This matches the results noted by the Kaspersky research report.

Summary

While these may not be the only attack surfaces available on the ChargePoint Home Flex unit, they represent the most likely avenues a threat actor may use to exploit the device. ChargePoint has committed to providing the hardware for us to use during the Pwn2Own Automotive competition, and we appreciate their support. We’re excited to see what research is displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Last month, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile.

---

The Sony XAV-AX5500 is an aftermarket vehicle head unit. This head unit supports many technologies that encompass its attack surface. This post endeavors to introduce the Sony XAV-AX5500, describe the relevant technologies in the head unit, and identify the attack surface present in the device.

Sony XAV-AX5500 Attack Surface Summary

Broadly speaking, the attack surface of the device can be broken down into the following categories:

— WebLink by Abalta Technologies
— Apple CarPlay 
— Android Auto
— SiriusXM Satellite Radio
— Bluetooth connectivity
— USB media
— Radio Data System (RDS)
— Open-Source Software

Sony XAV-AX5500 Documentation

The following links provide details from the manufacturer about the XAV-AX5500 head unit. They provide a high-level description of the technologies used in the device.

— Sony XAV-AX5500 Product Page
— Sony XAV-AX5500 Documentation Download
— Sony XAV-AX5500 Firmware Download
— Sony XAV-AX5500 Specifications
— Sony XAV-AX5500 Help Guide
— Sony XAV-AX5500 Help Guide - Description of USB port capabilities

WebLink by Abalta Technologies

The Sony XAV-AX5500 uses the WebLink application by Abalta Technologies. This application enables both Apple CarPlay and Android Auto support on the device. When connecting a mobile phone to the head unit over USB, the user must launch the WebLink application to activate Apple CarPlay or Android Auto. 

In addition to enabling the driver’s preferred driving assistance technologies, the WebLink application also provides its own set of features. These features potentially expand the attack surface of both the Sony XAV-AX5500 and the connected mobile phone.

The first application with the greatest potential for misuse is the “Cast” feature of WebLink. The Cast feature displays the touch interface of the connected handset. This allows the user to control their phone directly from the Sony XAV-AX5500 touchscreen. The Cast feature requires the user to grant permissions from their mobile device. Additionally, each time a Cast connection is initiated, the user must allow this linking from the connected handset. This potentially limits the security exposure. Once permission is given, any application on the phone may be launched from the head unit. The Sony XAV-AX5500 will then have near complete control over phone functionality, including the ability to change the configurations on the handset and access sensitive user data. If the head unit is compromised by an attacker, the attacker might leverage the Cast features to access or modify data on the handset.

The second WebLink feature with a potential for misuse is the “Music” feature of WebLink. This feature displays information about the songs currently playing on the handset. The potential for abuse by connecting a malicious handset is not fully known at this time but does present a potential attack surface.

Other applications come bundled with WebLink, such as an integration with the Waze Satellite navigation application on the connected handset. It also implements a native YouTube application.

Apple CarPlay

The Sony XAV-AX5500 supports the Apple CarPlay driver assistance technology. The connected handset must have the WebLink application installed for CarPlay to be accessible on the head unit. Once the handset is connected, WebLink will establish a CarPlay session with the device. The security implications of this manner of integration are currently unknown.

Once the CarPlay session is established, the head unit and connected handset communicate over USB in a manner that appears identical to the observed communications that happen between a connected handset and head units sold by other manufacturers.

Apple CarPlay communication between the head unit and connected handset operates over USB using an IPv6 connection. During connection initiation, the head unit and connected handset exchange a small amount of information in plain text. Some of this communication includes the transfer of binary Apple plist data. After this initial configuration is established, the connected handset initiates an encrypted TLS session with the head unit. Further research into this communication will be needed to assess the security of the CarPlay communication over USB and IPv6.

Android Auto

The Sony XAV-XV5500 also supports the Android Auto driver assistance technology. The connected handset must have the WebLink application installed for Android Auto to be accessible on the head unit. Once the handset is connected, WebLink will establish an Android Auto session with the head unit. The security implications of this manner of integration are currently unknown.

Trend Micro researchers are conducting further research to better understand the communication that occurs between the Sony XAV-AX5500 and connected Android handsets. Further work in this area will help determine what the attack surface exposes and how attacks against the implementation of Android Auto function on the head unit.

SiriusXM Satellite Radio

The Sony XAV-AX5500 ships bundled with a receiver for SiriusXM satellite radio. This receiver connects to a ten-pin connector on the rear of the device. The communication using this receiver represents a potential attack surface against the head unit. However, an attacker may have to defeat layers of security in the signal received from the SiriusXM network in order to attempt an attack against the Sony XAV-AX5500 over this communication channel. 

In addition to radio layer attacks against the receiver, there is the potential for attacks over the local communication between the SiriusXM receiver and the Sony XAV-AX5500. This part of the threat model may not be in scope for Pwn2Own Automotive, as attacks against this require uncontrolled physical access to the device. Moreover, unlike attacks over the USB bus, which require casual physical access, the connector for the SiriusXM receiver is not available to passengers of a vehicle without removing the entire unit from the dashboard to access the connector on the rear of the head unit.

Bluetooth Communications

The Sony XAV-AX5500 provides support for using Bluetooth communications with a compatible mobile handset. This allows the head unit to access the connected handset to make phone calls, play audio, and other potential uses. The supported profiles and other Bluetooth support are identified in the user manual for the head unit.

From the user guide provided by the vendor:

Frequency band:
2.4 GHz band (2.4000 GHz – 2.4835 GHz) Modulation method: FHSS
Compatible BLUETOOTH Profiles*2:
A2DP (Advanced Audio Distribution Profile) 1.3 AVRCP (Audio Video Remote Control Profile) 1.3 HFP (Handsfree Profile) 1.6
PBAP (Phone Book Access Profile) 1.1
Corresponding codec: SBC, AAC

USB Media Connections

The Sony XAV-AX5500 makes extensive use of the USB bus for connecting handsets. The head unit also supports other types of USB devices, such as media players and USB storage devices. The device supports multiple types of media file codecs for playback.

The Sony XAV-AX5500 also supports several versions of the FAT file system. Devices that support this file system type often implement support in a file system driver. These types of system drivers are subject to parsing specially crafted file systems. If a vulnerability in the head unit file system driver is present, an attacker with casual physical access might be able to perform attacks against the head unit file system driver if they connect a properly crafted file system. 

The Sony XAV-AX5500 supports several media codecs for playback on the head unit. These include many of the most widely used audio codecs, including MP3, WAV, AAC, and other media formats. The head unit also supports several widely used video codecs, such as MPEG-4 and WMV. Media formats such as these are complex data streams. The parsing of these codecs can be prone to containing parsing errors, and these errors can potentially have a security impact on the code that performs the parsing.

Radio Data System (RDS)

The Sony XAV-AX5500 implements support for the Radio Data System (RDS) standard. This standard defines a method for the transmission of digital information in conventional FM radio broadcasts. This represents an unauthenticated source of data that is processed by the head unit. There are a number of data formats supported by this standard. Many of the data fields are limited in size as defined in the standard. The Trend Micro research team has not investigated the RDS implementation in the Sony XAV-AX5500, and its security risk is currently unknown.

Open Source Software

This information is gathered from the Sony touchscreen. The years are provided here as a start to trying to identify the version in use. A better method would be to get the file system image of the device to get better information.

— OpenSSL (1998-2018)
— LwIP (2001-2004)
— libpng (1995-2018)
— zlib (1995-2017)
— md5 (RSA md5 1990)
— unrarlib (2000-2002)
— BidiReferenceCpp (1991-2012)
— LibYuv (2011)
— LZ4 (2011-2016)

Further research into the software used by the head unit is warranted.

Sony XAV-AX5500 Hardware Details

The Sony XAV-AX5500 comprises two circuit boards. The display board hosts the main display screen, as well as all the other user interface buttons on the unit. The primary board connects to the vehicle and hosts the primary ARM CPU and wireless modules. More research will be done to better identify these devices.

Detailed images of the Sony XAV-AX5500 PCBs are provided as follows:

Summary

While these may not be the only attack surfaces available on the Sony XAV-AX5500 head unit, they represent the most likely avenues a threat actor may use to exploit the device. Sony has long been a leader in innovative radio and consumer devices. From their simple transistor radios in the 1950s to the ubiquitous Walkman of the 1980s to the world's first car mini-disc player in the 1990s, Sony has consistently advanced entertainment technology. It will be interesting to see if the security of their devices has kept up with their other innovations. We’re excited to see what research is displayed in Tokyo during the event.

Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

In a previous blog, we took a look at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isn’t meant to be a detailed exploitation guide. However, we hope these high-resolution images will inspire some of the research we hope to see on display in Tokyo.

---

This post provides detailed imagery of the target EV chargers we are including in the upcoming Pwn2Own Automotive contest. Our intention is to help contestants understand the component hardware included in the EV chargers for the competition. But first, a safety reminder:

EV Chargers contain high voltages. Use extreme caution when working with them.  Never touch interior components when powered on.  If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding.  An open enclosure can be a deadly enclosure. Modifications to charging devices should not be made if there is an intent to ever plug the device into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer's instructions. 

With that out of the way, let’s move on to the images.

Autel Maxi EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Autel Maxi EV Charger.

·       ST Micro STM32F407ZGT6
·       Renergy RN830(B)
·       Barrot BR8051A01 bluetooth radio
·       Quectel EC25-AFX
·       GigaDevices GD32F407
·       Espressif ESP32-WROOM-32D
·       Winbond 128Mbit Flash device
·       ISSI IS62WV10248EALL/BLL

The Autel Maxi comprises multiple boards. One board is dedicated to the display, one board is a metrology board for power measurement and distribution, one is a mobile communication module board, and, finally, there’s a CPU board.

ChargePoint Home Flex

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the ChargePoint Home Flex EV charger.

·       Atmel AT91SAM9N12
·       Micron MT47H64M16NF-25E IT:M - 1GB DRAM
·       Micron MT29F4G08ABBDAH4-IT:D - 4GB NAND flash
·       Inventek ISM43340 Wi-Fi Bluetooth SIP Module

The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board. The CPU board hosts an Atmel ARM CPU, a Wi-Fi radio, and a Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings. Also, the unpopulated debug header labeled CN1 exposes the JTAG debugging interface of the Atmel AT91SAM9N12.

The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply. It also terminates the charging cable that end users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silk screen markings.

Emporia Smart Home EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Emporia Smart Home EV charger.

·       Espressif ESP32-WROVER-IB
·       TI MSP430F6736A

The device is built around the Espressif ESP32-WROVER-IB Wi-Fi and Bluetooth module. It is marked on the board as U1. The serial interface of the ESP32 is connected to the vias located directly next to the module labeled H3-H10. Identifying the pinout is an exercise for the reader.

The Emporia Smart Home EV charger uses a TI MSP430F6736A microcontroller for the metrology function.

Enel X Way Juicebox 40 EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Enel X Way Juicebox EV charger.

·       Silicon Labs WGM160PX22KGA3
·       Silicon Labs MGM13S SiP Module
·       Atmel ATmega328P
·       Atmel M90E36A Metering IC

The following image shows an overview of most of the main PCB. The Silicon Labs WGM160PX22KGA3 is toward the top-left of the following image and is marked U3. The Silicon Labs MGM13S SiP Module is toward the lower left of the following image and is labeled U11. The Atmel ATmega328P is located left-of-center in the following image and is labeled U14.

The following image shows the right-hand side of the board. This is where the Atmel M90E36A Metering IC is located. It is located on the right-hand side of the board and is marked U25.

Phoenix Contact CHARX SEC 3100

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Phoenix Contact CHARX SEC 3100 EV charge controller.

·       NXP MCIMX6G2CVM05AB - i.MX 6UltraLite Processor
·       Infineon OPTIGATM TPM SLB 9670 TPM2.0
·       Micron MT41K256M16TW-107 IT:P - 4gb DDR3 memory module
·       Micron MTFC8GAKAJCN-4M IT - 64 Gbit MMC NAND flash
·       Sierra Wireless RC7620-1
·       STM32F303 Arm microcontroller

The Phoenix Contact CHARX SEC 3100 is an EV charging controller. The device is typically mounted on a DIN rail. The enclosure contains two PCBs interconnected via a bus at the rear of the enclosure. In this document, we refer to one PCB as the CPU Board, and the other as the Metrology Board.

The CPU Board hosts the NXP MCIMX6G2CVM05AB ARM Cortex A7 CPU along with its associated DDR3 and NAND flash components. Additionally, the CPU Board comprises two Ethernet interfaces, one USB C interface, a micro SD card reader, a micro SIM card slot, and a Sierra Wireless RC7620 cellular modem.

The Phoenix Contact CHARX SEC 3100 runs Linux, and the manufacturer provides access via a preexisting user account on the system.

The Metrology Board hosts the STM32F303 Arm microcontroller.

Ubiquity EV Station

The following list summarizes the components Trend Micro research has identified as notable components and/or potential attack surfaces in the Ubiquity EV Station.

·       Qualcomm APQ8053 SoC
·       Nuvoton M482LGCAE (ARM)
·       Samsung KMQX60013A-B419 DRAM / NAND
·       Realtek RTL8153-BI Ethernet controller
·       Qualcomm WCN3680B (Wi-Fi)
·       NXP PN71501 (NFC)
·       TI USB 4 Port Hub - TUSB2046BI
·       Qualcomm PMI8952 (PMIC)
·       Qualcomm PM8953 (PMIC)
·       UART DEBUG port
·       USB C port

The following is an overview image of the main CPU board of the Ubiquity EV Station. The board has several collections of highly integrated components, each isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcom APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Just beneath this section of the PCB lie three connectors. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquity EV Station upon boot. In the center is a USB C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It’s possible this is an unpopulated footprint for a cellular communication module.

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquity EV Station:

In the following image, the PCB shows a stencil marked “J23.” Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Conclusion

We hope this imagery will inspire you to take a deeper look at the EV chargers to be targeted at Pwn2Own Automotive. Time is running out to register, with the deadline being January 18, 2024. As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source. We hope to see both you and your exploits in Tokyo.

Until then, stay tuned to this blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.

---

The Ubiquiti Connect EV Station is a Level 2 charging station for electric vehicles. The EV Station is meant to be managed by a Ubiquiti management platform running the UniFi OS Console, such as the Ubiquiti Dream Machine or Cloud Gateway. Users can also use the iOS or Android UniFi Connect mobile apps to configure the EV Station.

Attack Surface Summary

The Ubiquiti EV Station is an Android device. In this respect, it is unique amongst the electric vehicle chargers included as target devices in Pwn2Own Automotive 2024.

Trend Micro researchers observed the UART port of the device during power-up. The Ubiquiti EV Station employs a Qualcomm APQ8053 SoC as the primary CPU. The Android operating system boots and emits boot messages on the UART serial port located inside the device housing. The following areas are confirmed and represent a potential attack surface on the device:

·       Android OS
·       USB
o   Android USB debugging might be possible
·       Ubiquiti Connect mobile applications
·       Network attack surface
o   Wi-Fi, including Wi-Fi driver
o   Ethernet / Local IP networking
§  Realtek
o   Multicast IP networking
§  UDP port 10001
·       Bluetooth Low Energy (BLE) 4.2
·       Near Field Communication (NFC)

Ubiquiti EV Station Documentation

Documentation for the Ubiquiti EV Station provides only high-level information about the installation and operation of the device. Additional documentation can be found at:

·       Ubiquiti EV Station product page
·       Ubiquiti EV Station technical specifications
·       Ubiquiti EV Station installation guide
·       UniFi Connect iOS application
·       UniFi Connect Android application

Ubiquiti EV Station Hardware Analysis

Ubiquiti provides high-level technical specifications for the EV Station on their website. Trend Micro researchers have performed an analysis of the discrete hardware devices found in the EV Station. The following list summarizes the components Trend Micro research have identified as notable components and/or potential attack surface in the Ubiquiti EV Station.

•         Qualcomm APQ8053 SoC
•         Nuvoton M482LGCAE (ARM)
•         Samsung KMQX60013A-B419 DRAM / NAND
•         Realtek RTL8153-BI Ethernet controller
•         Qualcomm WCN3680B (Wi-Fi)
•         NXP PN71501 (NFC)
•         TI USB 4 Port Hub - TUSB2046BI
•         Qualcomm PMI8952 (PMIC)
•         Qualcomm PM8953 (PMIC)
•         UART DEBUG port
•         USB C port

Figure 1 below is an overview of the main CPU board of the Ubiquiti EV Station. The board has several collections of highly integrated components, each one isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcomm APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Three connectors reside just beneath this section of the PCB. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquiti EV Station upon startup. In the center is a USB-C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It is possible this is an unpopulated footprint for a cellular communication module.

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquiti EV Station:

In the following image, the PCB shows a stencil marked ‘J23.’ Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Network Analysis.

The device can connect to local networks over both Wi-Fi and Ethernet. Trend Micro researchers connected the EV Station to a test Ethernet network to investigate the network attack surface prior to associating the EV Station to a Ubiquiti UniFi Console.

In an unconfigured state, the EV Station does not listen on any TCP ports. The EV Station sends out regular probes looking for HTTP proxies on TCP port 8080.

Additionally, the Ubiquiti EV Station attempts to join an IGMP group using IP address 233.89.188.1. The EV Station sends packets to this address on UDP port 10001. The EV Station communicates on this port using the protocol that has been called the ‘UBNT Discovery Protocol.’ This protocol identifies the device model, firmware, and other information.

The following hex data shows an Ethernet frame, IP packet, and UDP datagram that encapsulate the UBNT discovery packet. The UBNT discovery data begins at offset 0x2A.

Bluetooth LE Analysis

In the unconfigured state, the Ubiquiti EV Station Bluetooth LE interface acts as a BLE peripheral device. Using a BLE scanning tool, the Trend Micro researchers observed the following Bluetooth LE endpoints on the EV Station.

The device set its BLE name to QCOM-BTD, which appears to be a default Qualcomm configuration. There is a single BLE service defined. This service exports three characteristics: one characteristic is read-only, one is notify-only, and one allows read, write, and notify operations.

Further analysis of the EV Station file system shows native code libraries responsible for the observed behavior. Additional investigation into these libraries may prove fruitful for contestants.

Additional information about expected BLE functionality can also be understood via analysis of the mobile applications. Trend Micro researchers performed reverse engineering of the UniFi Connect Android app and found code meant to communicate with the device over BLE. However, the discovered BLE characteristics present in the Android application do not match those broadcast by the EV Station. It is possible that after fully setting up the EV Station, the BLE stack may be reconfigured to match the expected BLE endpoints.

Future potential analysis

To mount a successful attempt against the Ubiquiti EV Station at Pwn2Own Automotive in Tokyo, contestants will need to perform additional analysis of the device to determine potential weaknesses. Trend Micro research has analyzed the Samsung KMQX60013A-B419 DRAM / NAND device by extracting it from the EV Station. This combination DRAM and NAND flash device contains the storage that supports the functionality of the EV Station.

As previously mentioned, the Ubiquiti EV Station runs the Android operating system. The EV Station flash contains numerous partitions. Using standard Linux tools, Trend Micro researchers identified several potential partitions. Some of these are real partitions and some appear to be false-positive detections by various tools. Several partitions have been verified and investigated. The following list shows the output produced on a Linux system using the `parted` command listing the partitions on the NAND flash device.

Trend Micro researchers used several methods for identifying partition data and mounting the partitions on the NAND flash device. The following command shows one method for mounting the system_a partition. Once the partition is mounted, a typical Android OS system partition is discovered.

Extracting the data from flash storage is the first step to performing the analysis necessary to discover vulnerabilities that might be present in the Ubiquiti EV Station.

Summary

While these may not be the only attack surfaces available on the Ubiquiti EV Station, they represent the most likely avenues a threat actor may use to exploit the device. We’ve already heard from several researchers who intend to register in the EV Charger category, so we’re excited to see their findings displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.