Security consultancy Sternum has found a number of vulnerabilities in home EV chargers developed by ChargePoint
In a comprehensive research project, Israel-based Sternum identified security vulnerabilities involving the reverse SSH tunnel and deprecated NTP client and HTTP servers and worked with ChargePoint to address the issues.
The latest firmware update from ChargeoPoint has disabled the HTTP server and updated the NTP client to address the issues. This corrects the weaknesses in the CPH50 home EV charger to reduce the attack surface and improve the security of the system.
This vulnerability highlights the broader challenges in securing Internet of Things (IoT) devices, especially those linked to critical infrastructure like electric vehicle charging stations. It highlights the need for regular updates in IoT devices to protect against evolving cybersecurity threats and deprecated software.
ChargePoint encourages researchers to collaborate with ChargePoint InfoSec to identify potential new vulnerabilities in its products or environment.
- Automotive execs don’t understand cybersecurity
- PUF security for the smallest Internet connected devices .
- Achieving ISO/SAE21434 cyber security
Sternum acquired three different iterations of the ChargePoint Home Flex device. After analyzing a variety of board revisions and through hardware and software security research, it gained access to the device’s firmware and secured a root shell using the JTAG headers on the device.
The vulnerability revolves around a flaw in the reverse SSH (rSSH) tunnel, established by each unit upon booting. This tunnel, intended to allow ChargePoint to access each charger for telemetry and diagnostics, presents a potential security risk from the way these devices handle their SSH connections. Newer devices use a more secure on-demand approach but could still be exploited if the attacker waits for an on-demand connection from the server to the device, which can be initiated by requesting technical support.
Older versions of the software, however, still use an ‘always-connect’ default setting. While direct SSH login to the devices is not possible, the vulnerability lies in the potential to forward target ports, such as the HTTP server port, and exploit them for unauthorized access or manipulation.
During the firmware analysis, Sternum identified an outdated HTTP server, deprecated NTP client with known vulnerabilities, deprecated kernel, and device certificates with unlimited expiration time.
Dumping the key pairs from the device implies that an attacker, upon authenticating to ChargePoint’s central server, could potentially create their own tunnel. This unauthorized access could extend to each connected charger.
- Securing the Internet of Things
- US to introduce voluntary Cyber Trust Mark for IoT security
- £2.2m for CHERI automotive security projects
Sternum replicated the client-server setup in its testing facility to validate these findings. Following the discovery, the company actively collaborated with ChargePoint to address the vulnerability, which has been updated in the latest software release.
The update included patching the NTP client, disabling the HTTP Server and changing the SSH connection default to ‘on-demand’ to mitigate the vulnerability. ChargePoint’s fast response to patching these vulnerabilities is a testament to the importance of securing critical infrastructure.
“ChargePoint is committed to the security of all customer data, and through this collaboration, we’ve implemented critical enhancements to Home Flex,” said Teza Mukkavilli, Chief Information Security Officer of ChargePoint. “Our focus remains on delivering a convenient, dependable, and safe EV charging experience for all drivers.”