提斯·阿尔克马德与哈立德·纳赛尔与丹·库珀_从低能量到高能量黑客入侵附近的蓝牙EV充电器.pdf

1、Low Energy to High Energy:Hacking Nearby EV-Chargers Over BluetoothThijs Alkemade&Khaled Nassar Computest Sector 7Introduction1.Be in Bluetooth/WiFi range 2.?3.Execute arbitrary code on the chargerAbout usWe are:Khaled Nassar notkmhn Thijs Alkemade infosec.exchange/xnyhps Daan Keuper daankeuper Work

2、ing for Computest in The NetherlandsPwn2Own AutomotivePwn2Own Automotive First time January 2024 in Tokyo In scope:Tesla Infotainment systems Automotive operating systems EV chargersEV chargersLevel 2 chargers Targeted at the home market All of them come with these features Connectivity(WiFi/Etherne

3、t)Scheduling Usage monitoringEV chargersInitially,we thought chargers would be well secured:New product category Limited communication interfaces Safety regulationsSmart EV Charging Station with WiFiJuiceBox 40JuiceBox 40BLE(provisioning)WiFiJuiceBox 40Based on the Zentri IoT platform AMW006 or WGM1

4、60P module Both are ARM Cortex-M4 based MCUs Gecko OS 4.2.7(?)There is an admin interface,with some commands?Accessible in setup mode over HTTP And accessible during standard operation over port 2000,telnet style!No authenticationZentri DMSManaged IoT platform Specific hardware modules,providing Upd

5、ate management Device identification and authn,z Core OS+SDK bindings for app development Extensive APIZentri DMSJuiceBox runs on an RTOS called“Gecko OS”Note:this OS is EOL!Firmware blobs are downloadable!We could investigate these before the device arrivedJuiceBox 40(CVE-2024-23938)Gecko OS logs m

6、essages when certain events occur It is possible to change the format of these messages using a set variable command Limited to 32 characters per message template including a terminating NULL byte Support for different formatting tags per event typeJuiceBox 40(CVE-2024-23938)char scratch_buffer132;c