从低功耗到高功耗：通过蓝牙破解附近的电动汽车充电器.pdf

《从低功耗到高功耗：通过蓝牙破解附近的电动汽车充电器.pdf》由会员分享，可在线阅读，更多相关《从低功耗到高功耗：通过蓝牙破解附近的电动汽车充电器.pdf（96页珍藏版）》请在三个皮匠报告上搜索。

1、Low Energy to High Energy:Hacking Nearby EV-Chargers Over BluetoothThijs Alkemade&Khaled Nassar Computest Sector 7Introduction1.Be in Bluetooth/WiFi range 2.?3.Execute arbitrary code on the chargerAbout usWe are:Khaled Nassar notkmhn Thijs Alkemade infosec.exchange/xnyhps Daan Keuper daankeuper Work

2、ing for Computest in The NetherlandsPwn2Own AutomotivePwn2Own Automotive First time January 2024 in Tokyo In scope:Tesla Infotainment systems Automotive operating systems EV chargersEV chargersLevel 2 chargers Targeted at the home market All of them come with these features Connectivity(WiFi/Etherne

3、t)Scheduling Usage monitoringEV chargersInitially,we thought chargers would be well secured:New product category Limited communication interfaces Safety regulationsSmart EV Charging Station with WiFiJuiceBox 40JuiceBox 40BLE(provisioning)WiFiJuiceBox 40Based on the Zentri IoT platform AMW006 or WGM1

4、60P module Both are ARM Cortex-M4 based MCUs Gecko OS 4.2.7(?)There is an admin interface,with some commands?Accessible in setup mode over HTTP And accessible during standard operation over port 2000,telnet style!No authenticationZentri DMSManaged IoT platform Specific hardware modules,providing Upd

5、ate management Device identification and authn,z Core OS+SDK bindings for app development Extensive APIZentri DMSJuiceBox runs on an RTOS called“Gecko OS”Note:this OS is EOL!Firmware blobs are downloadable!We could investigate these before the device arrivedJuiceBox 40(CVE-2024-23938)Gecko OS logs m

6、essages when certain events occur It is possible to change the format of these messages using a set variable command Limited to 32 characters per message template including a terminating NULL byte Support for different formatting tags per event typeJuiceBox 40(CVE-2024-23938)char scratch_buffer132;c