In a previous blog, we took a look at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isn’t meant to be a detailed exploitation guide. However, we hope these high-resolution images will inspire some of the research we hope to see on display in Tokyo.
This post provides detailed imagery of the target EV chargers we are including in the upcoming Pwn2Own Automotive contest. Our intention is to help contestants understand the component hardware included in the EV chargers for the competition. But first, a safety reminder:
EV Chargers contain high voltages. Use extreme caution when working with them. Never touch interior components when powered on. If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding. An open enclosure can be a deadly enclosure. Modifications to charging devices should not be made if there is an intent to ever plug the device into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer’s instructions.
With that out of the way, let’s move on to the images.
Autel Maxi EV Charger
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Autel Maxi EV Charger.
The Autel Maxi comprises multiple boards. One board is dedicated to the display, one board is a metrology board for power measurement and distribution, one is a mobile communication module board, and, finally, there’s a CPU board.
ChargePoint Home Flex
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the ChargePoint Home Flex EV charger.
The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board. The CPU board hosts an Atmel ARM CPU, a Wi-Fi radio, and a Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings. Also, the unpopulated debug header labeled CN1 exposes the JTAG debugging interface of the Atmel AT91SAM9N12.
The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply. It also terminates the charging cable that end users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silk screen markings.
Emporia Smart Home EV Charger
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Emporia Smart Home EV charger.
The device is built around the Espressif ESP32-WROVER-IB Wi-Fi and Bluetooth module. It is marked on the board as U1. The serial interface of the ESP32 is connected to the vias located directly next to the module labeled H3-H10. Identifying the pinout is an exercise for the reader.
The Emporia Smart Home EV charger uses a TI MSP430F6736A microcontroller for the metrology function.
Enel X Way Juicebox 40 EV Charger
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Enel X Way Juicebox EV charger.
The following image shows an overview of most of the main PCB. The Silicon Labs WGM160PX22KGA3 is toward the top-left of the following image and is marked U3. The Silicon Labs MGM13S SiP Module is toward the lower left of the following image and is labeled U11. The Atmel ATmega328P is located left-of-center in the following image and is labeled U14.
The following image shows the right-hand side of the board. This is where the Atmel M90E36A Metering IC is located. It is located on the right-hand side of the board and is marked U25.
Phoenix Contact CHARX SEC 3100
The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Phoenix Contact CHARX SEC 3100 EV charge controller.
· NXP MCIMX6G2CVM05AB – i.MX 6UltraLite Processor
· Infineon OPTIGATM TPM SLB 9670 TPM2.0
· Micron MT41K256M16TW-107 IT:P – 4gb DDR3 memory module
· Micron MTFC8GAKAJCN-4M IT – 64 Gbit MMC NAND flash
· Sierra Wireless RC7620-1
· STM32F303 Arm microcontroller
The Phoenix Contact CHARX SEC 3100 is an EV charging controller. The device is typically mounted on a DIN rail. The enclosure contains two PCBs interconnected via a bus at the rear of the enclosure. In this document, we refer to one PCB as the CPU Board, and the other as the Metrology Board.
The CPU Board hosts the NXP MCIMX6G2CVM05AB ARM Cortex A7 CPU along with its associated DDR3 and NAND flash components. Additionally, the CPU Board comprises two Ethernet interfaces, one USB C interface, a micro SD card reader, a micro SIM card slot, and a Sierra Wireless RC7620 cellular modem.
The Phoenix Contact CHARX SEC 3100 runs Linux, and the manufacturer provides access via a preexisting user account on the system.
The Metrology Board hosts the STM32F303 Arm microcontroller.
Ubiquity EV Station
The following list summarizes the components Trend Micro research has identified as notable components and/or potential attack surfaces in the Ubiquity EV Station.
· Qualcomm APQ8053 SoC
· Nuvoton M482LGCAE (ARM)
· Samsung KMQX60013A-B419 DRAM / NAND
· Realtek RTL8153-BI Ethernet controller
· Qualcomm WCN3680B (Wi-Fi)
· NXP PN71501 (NFC)
· TI USB 4 Port Hub – TUSB2046BI
· Qualcomm PMI8952 (PMIC)
· Qualcomm PM8953 (PMIC)
· UART DEBUG port
· USB C port
The following is an overview image of the main CPU board of the Ubiquity EV Station. The board has several collections of highly integrated components, each isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.
In the center of the board sits the Qualcom APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.
Just beneath this section of the PCB lie three connectors. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquity EV Station upon boot. In the center is a USB C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.
In the top center of the following image is an unpopulated component marked U20. It’s possible this is an unpopulated footprint for a cellular communication module.
The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquity EV Station:
In the following image, the PCB shows a stencil marked “J23.” Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.
We hope this imagery will inspire you to take a deeper look at the EV chargers to be targeted at Pwn2Own Automotive. Time is running out to register, with the deadline being January 18, 2024. As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source. We hope to see both you and your exploits in Tokyo.
Until then, stay tuned to this blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
Written by admin
March 1, 2024GFN Thursday celebrates this leap day with the addition of a popular game store to the cloud. Stream the first titles from Blizzard Entertainment’s Battle.net, including Diablo IV, Overwatch 2, Call of Duty HQ and Hearthstone, now playable across more...
ZDI-24-214: NI FlexLogger RabbitMQ Incorrect Permission Assignment Local Privilege Escalation VulnerabilityFebruary 29, 2024This vulnerability allows local attackers to escalate privileges on affected installations of NI FlexLogger. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a...
ZDI-24-213: NI FlexLogger userservices Missing Authorization Local Privilege Escalation VulnerabilityFebruary 29, 2024This vulnerability allows local attackers to escalate privileges on affected installations of NI FlexLogger. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a...