We recently announced the rules and targets for the upcoming Pwn2Own Automotive competition. As we look forward to the event, we thought we would review the attack surface on some of the targets. We begin with the ChargePoint Home Flex – a 240-volt Level 2 home charger that delivers up to 50 amps of power.
The ChargePoint Home Flex is a level 2 electric vehicle charge station designed for use by end-users in their homes. The device has a minimal user interface in its hardware. The device employs mobile applications for both the installation and the regular operation of the equipment by the consumer.
ChargePoint Home Flex Attack Surface Summary
Broadly speaking, the attack surface of the device can be broken down into three categories.
1. ChargePoint Mobile Applications
The ServicePro application used by electricians during the installation of the ChargePoint Home Flex unit offers one avenue of attack.
The ChargePoint application used by end-users when configuring and using the ChargePoint Home Flex also provides an attack surface.
2. ChargePoint Home Flex hardware
The device includes an embedded Linux host that communicates over Wi-Fi to hosts on the internet. The unit also contains a PCB based around the Texas Instruments MSP430 micro-controller. The wireless communication PCB is based on an Atmel CPU. Finally, the JTAG interface is accessible via the wireless communication PCB.
3. Network Attack Surfaces
Software patches to the device are provided via Internet-based over-the-air (OTA) updates. The Bluetooth Low Energy (BLE) endpoint used by mobile applications for local communication could provide an opportunity for attack. Any Wi-Fi communication with a local access point opens the opportunity for interception and manipulation. Finally, the device implements the Open Charge Point Protocol (OCPP). Any deficiencies in this protocol would be inherited by the charger.
Prior Security Research
The ChargePoint Home Flex was the subject of a security assessment performed by Dmitry Skylar, a researcher from Kaspersky Labs. This review was performed in 2018, and the results were published in a paper, as well as a presentation at a number of security conferences. The slides can be found here.
ChargePoint Home Flex Mobile Applications
ChargePoint distributes two applications for use with the Home Flex charger. Both applications interact with the ChargePoint Home Flex over Bluetooth Low Energy (BLE).
The consumer-focused ChargePoint mobile app is intended for use by end-users to manage their charging preferences.
While we did not thoroughly investigate these applications for vulnerabilities or other bugs, problems in mobile applications have been used by threat actors in the past and represent a significant attack surface. Even though the mobile applications themselves are out of scope for the Pwn2Own Automotive contest, they should still be thoroughly reviewed by the research community.
ChargePoint Home Flex Bluetooth Low Energy
The ChargePoint Home Flex uses Bluetooth Low Energy to communicate with mobile applications. Trend Micro researchers used a custom BLE scanning tool to enumerate the endpoints made available by the charger.
The following service is defined in the BLE spec:
— BLE Service Device Information
— System ID:
— Model Number String: CPH50
— Serial Number String:
— Software Revision String: 220.127.116.11
The researchers observed the following BLE services and characteristics when scanning the device under test (DUT):
— Device Details Service 274BC3A3-1A52-4D30-99C0-4DE08FFF2358
— Get/Set PowerSourceType: Characteristic 8D4D6AF5-E562-4DC7-85AD-842FBF321C87
— Get/Set PowerSourceAmps: Characteristic F24F7C35-A5FD-4B98-BCA5-50BB5DC8E7CD
— Get/Set Apply Settings Status : Characteristic 5597DD46-7EDD-40CC-9904-B6934DC05E19
— Get/Set UserId : Characteristic E79C86D4-8106-4908-B602-5B61266B2116
— Get/Set Latitude : Characteristic 85F296FC-3152-4EF0-84CB-FAB8D05432E4
— Get/Set Longitude : Characteristic 9253A155-701A-4582-A0CF-5E517E553586
— Get/Set NOSStatus : Characteristic C31D51E5-BD61-4D09-95E2-C0E34ED1224C
— Get/Set Power Source: Characteristic C1972E92-0D07-4464-B312-E60BA5F284FC
— WIFI Service DFAF46E7-04F9-471C-8438-A72612619BE9
— Get/Set NextWIFIAccessPoint: Characteristic E5DEBB4B-4DAC-4609-A533-B628E5797E91
— Get/Set CurrentSSID: Characteristic EB61F605-DED9-4975-9235-0A5FF4941F32
— Get/Set WIFISecurityType: Characteristic 733ED10A-CD1B-43CA-A0C2-6864C8DCF7C1
— Get/Set WiFi Configuration: Characteristic 25A03F00-1AF2-44F0-80F2-D6F771458BB9
— Get/Set ApplyStatusCode: Characteristic 3BE83845-93E4-461E-8A49-7370F790EBC4
— Get/Set Always Empty Response Characteristic: Characteristic CED647D7-E261-41E2-8F0D-35C360AAE269
— Unknown Service B67CB923-50E4-41E8-BECC-9ACD24776887 B67CB923-50E4-41E8-BECC-9ACD24776887
— Get/Set Always NULL Byte Characteristic: Characteristic 7AC61302-58AB-47BA-B8AA-30094DB0B9A1
Trend Micro researchers performed limited probing of these BLE endpoints using a bespoke BLE scanner. In addition, Trend researchers performed reverse engineering of the end-user ChargePoint application. The names identified in the above listing have been inferred from the understanding of the Android application code.
ChargePoint Home Flex Hardware Details
The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board.
The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply, and it also terminates the charging cable that end-users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silkscreen markings. It hosts an MSP430 microcontroller.
The CPU board hosts an ATMEL Arm CPU, Wi-Fi radio, and Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings.
Here are some images detailing the ChargePoint Home Flex Metrology board and CPU board:
<img alt="" height="651" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/07d56feb-ca9d-424b-a2cf-6866ea5a36a6/Picture1.png?format=1000w" width="468" /> <p><em>Figure 1 - Front side of the CPH-50 CPU Board</em></p> <img alt="" height="665" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/990a1d4d-f849-4bac-bb36-c192a140afe2/Picture2.png?format=1000w" width="468" /> <p><em>Figure 2 - Back side of the CPH-50 CPU Board</em></p> <img alt="" height="541" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/2281bebf-9208-440e-ba72-13754f02c955/Picture3.png?format=1000w" width="468" /> <p><em>Figure 3 - Front side of the ChargePoint Home Flex metrology Board</em></p> <img alt="" height="540" src="https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/da84e1a2-046f-4996-b4cf-e7719ca1f81a/Picture4.png?format=1000w" width="468" /> <p><em>Figure 4 - Back side of the ChargePoint Home Flex metrology Board</em></p>
ChargePoint Home Flex Embedded Linux
Prior research performed by Kaspersky Labs indicates the charger uses the Linux operating system. The charger hardware has a board identified as the “Panda CPU” board, which implements all the accessible attack surface on the charger. The hardware comprises an ARM CPU, and the device provides a JTAG debug header. Prior research showed this JTAG header could be leveraged to obtain shell access to the charger.
During a preliminary assessment of the charger, Trend Micro researchers used a captive test network to interrogate the ChargePoint Home Flex. The test network had a Wi-Fi access point running connected to a network running a set of services configured to simulate the services the charger required. This network has a DNS server configured to respond to all DNS A-record queries with an IP address from within the test network.
During testing, the researchers observed the DNS queries made by the DUT and configured the DNS server with all the observed host names it attempted to connect to. Additionally, the test network includes a web server configured to respond to the web requests made by the DUT. The DUT has made DNS requests to the following domains:
The researchers noted that TLS connections initiated to web servers failed to establish due to the TLS certificate authority mismatches. The enforcement of TLS certificate authority matching is a security benefit.
The ChargePoint Home Flex connected over SSH to the server
ba79k2rx5jru.chargepoint.com on TCP port 343. The research network included a permissive SSH server that would allow authentication for any user. When the charger initiated a connection to the permissive SSH server in the test network, the researchers noted the SSH client from the DUT initiated a TCP port forward from the SSH server back to TCP port 23 on the charger. This matches the results noted by the Kaspersky research report.
While these may not be the only attack surfaces available on the ChargePoint Home Flex unit, they represent the most likely avenues a threat actor may use to exploit the device. ChargePoint has committed to providing the hardware for us to use during the Pwn2Own Automotive competition, and we appreciate their support. We’re excited to see what research is displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.