Electric Vehicle Chargers: Observations from Pwn2Own Automotive 2024

This presentation will discuss the architectures employed by six electric vehicle chargers targeted by contestants in the inaugural Pwn2Own Automotive competition in Tokyo, Japan in January 2024. We will discuss the charger hardware, firmware, and software, and the relevant attack surfaces discovered by Trend Micro researchers during the months-long preparation for the competition. We will also discuss vulnerability classes that were exploited during Pwn2Own Automotive 2024 and the current state of automotive EV charger security.  We will look at the potential impacts of EV (Electric Vehicle) charger vulnerabilities, which could include impacts to the electric vehicles, the chargers, or to the electric grid itself.

During the inaugural Pwn2Own Automotive in January 2024, Trend Micro, VicOne, and the Zero Day Initiative (ZDI) hosted multiple international teams to showcase attacks targeting devices in the automotive space, including electric vehicle chargers. Contestants brought a total of 49 successful entries to the competition, including 26 attack chains targeting electric vehicle chargers from Autel, ChargePoint, Emporia, Enel X-Way, Phoenix Contact, and Ubiquiti.

As the use of electric vehicles increases, the need for additional charging infrastructure grows. Governmental agencies working at the local, state, and federal levels all have initiatives aimed at adding electric vehicle charging infrastructure in the United States, with approximately 130k public charging ports in 2023. In Europe, the number of charging ports grew to over 500k charging ports in early 2023. China is the world leader in the number of public EV charging points, with 1.7 million in 2022. As electric vehicle adoption grows, the amount of public charging infrastructure must continue to scale to meet transportation demands. Increased EV charging infrastructure makes the security of this burgeoning critical infrastructure more important.

Electric vehicle charging stations integrate a variety of computing resources to charge vehicles. Chargers can communicate with the vehicles over standard charging cables to regulate the amount of power and time for charging vehicles. Users of EV chargers typically can access charging resources using either local displays and other interfaces, or by using their mobile phones. To facilitate these charging activities, EV chargers feature a wide range of technologies, including Ethernet, Wi-Fi, Bluetooth, NFC, RFID, CAN, OCPP, and mobile applications. Charging platforms also employ many kinds of discrete devices, including various CPUs, microcontrollers, system-on-chip designs, radio modules, and electric current sensing and regulation equipment.

Some EV chargers are based around embedded microcontrollers that run custom firmware, and other models are observed running full operating systems such as Linux or Android.  EV chargers can include entire software stacks written in a combination of bespoke code and open-source code. Some chargers can operate in a standalone deployment, but many require connections to the vendor cloud, or other local management consoles. Many chargers are configured via local Bluetooth connections, and often part of this configuration is the configuration of the local Wi-Fi network to ultimately give the charger a connection to the vendor’s cloud infrastructure. The result for EV chargers is increased attack surface, both local and remote.

About the Presenter: Jonathan Andersson

Jonathan has a background in embedded systems design and began reversing radio systems using GNURadio in 2009.  He demonstrated the Icarus DSMX drone interception system (presented at PACSEC), researched RF vulnerabilities in industrial cranes and a wide array of other targets, and created the Capture the Signal (CTS) contest presented at several conferences globally.