Background
SwRI cybersecurity researchers have demonstrated that Level 1 and Level 2 electric vehicle (EV) chargers can be disrupted using a “Machine in the Middle” (MitM) attack. Newer EV charging standards have introduced Direct Current Fast Charging (DCFC), a faster version of the Level 1 and 2 charging. DCFC uses Power-Line Communication (PLC), potentially introducing additional cybersecurity concerns. Because DCFC and PLC are still new, active investigation of cybersecurity vulnerabilities is critical to protect the EV charging industry.
Approach
Figure 1: DCFC charging with vehicle.
This project’s goal was to analyze the PLC communication of the DCFC Electric Vehicle Supply Equipment (EVSE) to identify vulnerabilities, create potential exploits, and develop methods to mitigate these risks. The testers approached the first part of the goal by capturing and analyzing PLC data to understand the communication protocols and find any vulnerabilities. This was accomplished by establishing an Machine-in-the-Middle (MitM) setup between a SwRI-owned DCFC charger and a division-owned vehicle with a combined charging system (CCS). This setup requires the ability to gather PLC data and convert it into Ethernet packets for analysis. After analyzing the data, the second stage involved exploiting the PLC vulnerabilities discovered on the actual charger and vehicle. This requires reproducing PLC and pulse-width modulation (PWM) signals to inject attacks. Once these attacks have been accomplished, potential methods to counteract those attacks will be developed. To accomplish this milestone, a hardware setup was established for testing and verifying the mitigations. Additionally, the team researched previous similar projects to compare vulnerabilities discovered in other environments and began writing software in preparation to leverage these vulnerabilities.
Accomplishments
An MitM hardware setup has been created between the DCFC charger and the vehicle, which includes being able to spoof a vehicle connected to the EVSE as well as spoof an EVSE connected to the EV. This MitM setup allows for the collection of PLC packets converted to Ethernet packets, which in turn has allowed for analyzing the data. Research on other projects that utilized the PLC protocol has also been conducted to gain further insight into potential vulnerabilities. The testers found vulnerabilities that included values—such as the MAC address of both the EV and EVSE—sent in plaintext or encrypted with a known algorithm that allowed for reprogramming of non-volatile memory of PLC devices as well as the EV’s parameter information block. Discovering these values allowed the researchers to access the IPv6 layer between the EV and EVSE and use traditional ethernet penetration testing methods, including port scanning. Port scanning exposed open SSH and HTTP services, the latter of which was vulnerable and allowed unauthenticated retrieval of proprietary information. These findings also lay the groundwork for bolstering security of the DCFC charging infrastructure.