EV Cyber Security: PlaxidityX Discovers Critical Vulnerability in EVerest Open-Source EV Charging Firmware Stack (CVE-2024-37310)
Today’s vehicles have become more connected and software-driven, exposing them to cyber risks. Electric vehicles (EVs) are no different in this respect. However, what makes EVs particularly susceptible to cyber threats is that they are not standalone entities.
EVs are part of a larger interconnected ecosystem that includes charging stations, smart grids, and other vehicles. A security flaw in one of these components could conceivably put the other components at risk. For example, the Communications between EVs and charging stations could be compromised by bad actors who tamper with charging stations, putting the vehicle at risk.
In light of these threats, the PlaxidityX research group has been conducting in-depth research on EV charging protocols and the communication between the EV and the charging station. Our goal was to explore and understand known and previously undisclosed ways that an EV, or a charging station could be attacked via the charging interface.
This article describes a critical vulnerability in an open-source framework discovered by our researchers, which could potentially allow an attacker to compromise and take control of a charging station. The vulnerability had already been responsibly disclosed to the project’s maintainers and the issue was fixed.
We believe the discovery of this vulnerability is also relevant for EV manufacturers, as these protocols are used for bi-directional communication, they also must be implemented in the EV. Therefore, while hypothetical, it is reasonable to assume that this same vulnerability could be used to compromise the ECU responsible for EV charging inside the vehicle.
Vulnerability Description (CVE-2024-37310)
The critical vulnerability was discovered in the EVerest project, which is an open source modular framework for setting up a full stack environment for EV charging. The EVerest project was initiated by PIONIX GmbH to help with the electrification of the mobility sector and is an official project of the Linux Foundation Energy (LFE). This large, open-source project aims to eventually become the standard communication stack for public charging stations.
Our team discovered an integer overflow in the V2G Transport Protocol (V2GTP) implementation of the EvseV2G module of the EVerest framework. This vulnerability leads to a heap overflow and allows an attacker to run arbitrary code on the Linux process which can lead to bypassing the payment gate for charging, compromise private keys stored in the charging station (also referred to as Electric Vehicle Supply Equipment, or EVSE) and communicate with the vendor’s backend using Open Charge Point Protocol (OCPP) by impersonating the compromised, but trusted charging station.
This vulnerability has been discovered while testing the EVerest implementation with PlaxidityX Security AutoTester. A tool designed to fuzz and detect security issues and vulnerabilities in automotive protocols including V2G.
PlaxidityX discreetly disclosed the vulnerability to the maintainers of the Everest Project, who worked quickly to fix the issue and release a patched version.
What makes this vulnerability unique?
Until now, most security research in Cyber Security of EVs was focused on external communication protocols being used to access the charging station [1] (e.g., WiFi, Bluetooth, NFC, etc.). In this case, the vulnerability is in the charging interface rather than the typical communication interfaces. Our research around this vulnerability analyzes the direct communication between the EV and the charging station, an area that has yet to get much attention by the security community. In particular, we wanted to understand how an EV could possibly be used to attack a charging station and vice versa.
Sample attack scenarios
To exploit this vulnerability, the attacker would need access to the public charging station. The most common way to gain access to the charging station software is through a physical connection. The attacker can take a regular charging cable, plug one end into the charging station and the other end (after making some simple modifications) to a PLC modem connected to a laptop and then exploit the vulnerability to gain control of the charging station.
Note that high level communication between the EV and the EVSE is usually present in public charging stations. These stations can be located in remote areas, often without on-site staff and adequate physical security. In such scenarios, an attacker with the right tools could compromise a charging station without being noticed.
Why EVs May Also Be at Risk from This Vulnerability
As mentioned, the vulnerability we discovered relates to an error in the implementation of a communication protocol in a charging station. The ISO 15118-2 & DINSPEC-7012 standard defines the communication between the EV and the charging station, however implementing this standard is both complex and prone to errors. At the end of the day, these errors could lead to bugs which in turn could lead to security vulnerabilities.
What’s important to note here is that this same standard is also implemented in the Electric Vehicle Communication Control (EVCC) ECU in the vehicle. In EVs, the EVCC is responsible for handling the communication with the charging station. Thus, it’s reasonable to assume that the same vulnerability we found in the charging station software could also be found in the EVCC itself due to a faulty implementation.
In such a scenario, an attacker could exploit this vulnerability in the EVCC ECU to compromise the ECU and get a foothold inside the vehicle network. In extreme cases, this could give the attacker internal access to the CAN bus and potentially jeopardize the security of safety-critical vehicle components.
Important Takeaway for EV Manufacturers
Our research shows that like many other communication protocols, implementing the ISO 15118-2 standard is prone to programming errors and bugs. It is the responsibility of each EV manufacturer to take into account a wide variety of edge cases. There’s no cookie-cutter solution and getting the implementation right takes a lot of work.
The vulnerability we found illustrates the difficulty of getting it right. Although EVerest is a huge open-source project maintained by lots of developers, we identified a critical vulnerability due to faulty implementation. If this error managed to escape the eyes of numerous developers, it’s reasonable to assume that a proprietary implementation developed in-house by an EV manufacturer could do the same.
The bottom line is that EV manufacturers must be mindful of the complexity and potential security risks when it comes to implementing charging communication protocols in their vehicles (open source or otherwise). We’ve seen here what an error in the implementation could lead to.
Proactive Steps for EV Security
PlaxidityX has extensive experience working with leading global OEMs and Tier 1 suppliers in dozens of production projects to strengthen their products’ security posture and help them comply with new automotive cyber security regulations. Our Consultancy Research Group provides vehicle and ECU manufacturers with a comprehensive set of automotive cyber security services, including Automotive Penetration Testing, TARA and Cyber Security Architecture Design, and UNR 155 and ISO 21434 Cyber Security Compliance.
Want to talk to our automotive security experts about your EV cyber security needs?
[1] https://www.cybersecurity-help.cz/vdb/SB2024062534 [2] https://github.com/klsecservices/Publications/blob/master/chargepoint_home_security_research.pdf