v2g injector
play

V2G Injector Whispering to cars and charging units through the - PowerPoint PPT Presentation

Aug 01, 2023 •137 likes •731 views

V2G Injector Whispering to cars and charging units through the Power-Line By Sbastien Dudek SSTIC June 7th 2019 Working team on the subject @Fist0urs, @Karion_, and me About me Sbastien Dudek (@FlUxIuS) Working at Synacktiv*

  1. V2G Injector Whispering to cars and charging units through the Power-Line By Sébastien Dudek SSTIC June 7th 2019

  2. Working team on the subject @Fist0urs, @Karion_, and me

  3. About me Sébastien Dudek (@FlUxIuS) Working at Synacktiv* pentests, red team, audits, vuln researches Likes radio and hardware And to confront theory vs. practice * FR Offices in Paris, Toulouse, Lyon and now → Rennes!

  4. Introduction Current cars → Controller Area Network (CAN) bus Engine Control Units (ECUs) → targeted via On-Board Diagnostics (OBD) port And plenty other surfaces to investigate: Wi-Fi GPRS, 3G and 4G* etc. source: thetruthaboutcars.com *https://www.synacktiv.com/ressources/Troopers_NGI_2019-Modmobtools_and_tricks.pdf

  5. Our interest: the charging connector Is it only used for charging? Warning Tons of abbreviations! Let’s inspect this mysterious thing... 4

  6. Long story short: renewable energy Renewable energy production → variable and difficult to predict (solar, wind, user consumption, etc.) → Smart Grids People had to think about ways to store it First energy storage system → Battery-to-Grid (B2G) → Why not use car’s battery for energy storage too? 5

  7. The rise of V2G V2G: Vehicle-to-Grid Use Electric Vehicles (EVs) to store energy In bidirectional charging/discharging systems → pay for charging or get paid → compensate battery deterioration source: automobile-propre.com Looking at specs → V2G systems communicate with a protocol 6

  8. Standards for interoperability V2G uses several standards to communicate: ISO/IEC 15118: Vehicle-to-Grid (V2G) communication IEC 61851: conductive charging system IEC 61850-90-8: communication networks for EVs and so on. 7

  9. Publications Very few of them tackle the security issues and improvements on V2G: Peng Wang Zhigang Ji Wenpeng Luan, Gen Li. Security of V2G Networks: A Review. Boletín Técnico, Vol.55, Issue 17, 2017 Yan Zhang and Stein Gjessing. Securing Vehicle-to-Grid Communications in the Smart Grid. IEEE Wireless Communications, 2013. Uses Power-Line → we published a critical vulnerability concerning DAK key generation on most HomePlug AV devices 1 1 http://www.nosuchcon.org/talks/2014/D1_03_Sebastien_Dudek_Home- PlugAV_PLC.pdf 8

  10. V2G communication 1 HomePlug Green PHY 2 Preliminaries 3 Intruding a V2G network 4 V2G Injector 5 Conclusion 6

  11. V2G ECU Known as Vehicle Charging Control Unit (VCCU) Interfaced with a Combined Charging System (CCS) ECU is used for: vehicle state management, communication with the backend, coordination, etc. source: Michael Epping. Vehicle Charging Control Unit. EMOB, 2017 9

  12. Architecture source: https://res.mdpi.com/applsci/applsci-06- 00165/article_deploy/applsci-06-00165.pdf 10

  13. V2G layers L1: PHY communication via a Power-Line Communication Device L2: Management Message Entries (MME) L3: Supply Equipment Communication Controller (SECC) on → EV Supply Equipment (EVSE) host and port L4: V2GTP transports V2G source: https://res.mdpi.com/applsci/applsci-06- 00165/article_deploy/applsci-06-00165.pdf data ... 11

  14. TLS with V2G data TLS can be enabled → usually asked by EV Communication Controller (EVCC, client part) Must have two distinct private keys and certificates → ensure encryption and authenticity Needs a Certificate Authority (CA) to check Supply Equipment Communication Controller (SECC, server part) Interesting to test to confront specs ↔ targeted implementation 12

  15. TLS with V2G data TLS can be enabled → usually asked by EV Communication Controller (EVCC, client part) Must have two distinct private keys and certificates → ensure encryption and authenticity Needs a Certificate Authority (CA) to check Supply Equipment Communication Controller (SECC, server part) Interesting to test to confront specs ↔ targeted implementation Reality in heterogeneous envs Complicated to put in the chain → how vendors are dealing with it? ... ;) 12

  16. V2G communication 1 HomePlug Green PHY 2 Preliminaries 3 Intruding a V2G network 4 V2G Injector 5 Conclusion 6

  17. HomePlug Green PHY 13

  18. HomePlug AV and Green PHY HomePlug Green PHY (HPGP) → subset of HomePlug AV HomePlug AV used to extend domestic local network HPGP Intented to be used for ”smart” grid or other automation systems HomePlug AV higher peak rate than HomePlug Green PHY Keys: Network Membership Key (NMK): to encrypt the communication using 128-bit AES CBC Direct Access Key (DAK): to remotely configure the NMK of a argeted PLC device over the Power-Line interface 14

  19. Plug-in Electrical Vehicle (PEV) Association PLC packets are broadcasted in the Power-Line So after plugging → PEV does not know on which station it is connected source: HomePlug Green PHY whitepaper How to prevent from billing errors? 15

  20. SLAC procedure SLAC: Signal Level Attenuation Characterization source: HomePlug Green PHY whitepaper 16

  21. V2G communication 1 HomePlug Green PHY 2 Preliminaries 3 Intruding a V2G network 4 V2G Injector 5 Conclusion 6

  22. Tools and specifications No free specifications Some monitoring tools like “V2G Viewer pro” exist, but expensive Free and useful stacks to understand V2G: RISE-V2G Open V2G Even HPGP dissectors are publicly missing for Wireshark, Scapy, etc. 17

  23. Our contribution Made SECC, V2GTP and HomePlug GP Scapy layers Developed a V2G data encoder/decoder, based on RISE-V2G shared library Found a new flaw in HPGP SLAC procedure Combined all these tools to make a tool to monitor and inject crafted packets, called “V2G Injector” Without reinventing the wheel! 18

  24. V2G communication 1 HomePlug Green PHY 2 Preliminaries 3 Intruding a V2G network 4 V2G Injector 5 Conclusion 6

  25. Our interface: The Combined Charging System connectors Different types of connectors exist, like IEC 62196 in UE: PP: Proximity pilot for pre-insertion signalling CP: Control Pilot for post-insertion signalling PE: Protective earth etc. HGPG data multiplexed onto the Control Pilot and ground lines 19

  26. Data Propagation over Power-Line As shown at NSC 2014 for HomePlug AV wallplugs: Data over Power-Line is superposed on the power supply Any information can propagate through many installations depending on signal strength If charging station charges shared the electrical network as a resident → a resident can see and contact charging station’s PLC 20

  27. Required hardware PLC with a QCA7k modem Tested with: PLC Stamp Micro 2 Ev. Board (300€) Devolo 1200+ (50€) → to rework if you want to bind it to CP lines dLAN Green PHY ev. board EU II (150€): 21

  28. Cheapest way: the wallplug Devolo 1200+ works like a charm No modification needed if charging stations share the same electrical network Otherwise some rework should be done on the coupler We are actually working on some modular rework with this adaptor 22

  29. How to interface 23

  30. Impersonating a charging station (EVSE) 24

  31. Where can we find those connectors? You can really find everything in Alibaba, even charging stations... 25

  32. HomePlug Green PHY modes Can be set in 3 specific modes: Unconfigured EVSE (charging station): see HGPG specific packets from PEV PEV (car): can see HPGP specific packets from EVSE → interesting one 26

  33. Flaw SLAC procedure When analysing the SLAC procedure → surprise! It was supposed to be a unicast packet, isn’t it? → but it is broadcasted in the Power-Line! 27

  34. Getting keys of AVLNs By decoding the different fields of the CM_SLAC_MATCH.CNF message: Our PLC can be easily set by changing slac/pev.ini profile and used with pev tool 2 2 https://github.com/qca/open-plc-utils 28

  35. Into the logical PLC network (AVLN) Conventional VCCU (car ECU): 1 Gets an IPv6 address 2 Looks for a V2G server → send a multicasted SECC query with required security level (encryption → SecurityProtocol ) 3 Charging station answer giving corresponding host and port → SECC response 4 Car and charging station exchange data in V2G Attacker Can attack exposed services of devices and intercept communications 29

  36. Intercepting communications 2 obvious ways: IPv6 neighbour spoofing attack Racing SECC procedure 30

  37. SECC procedure 31

  38. SECC procedure (2) Clients (ECU) → SECC REQUEST in multicast: ###[ Ethernet ]### [ . . . ] ###[ IPv6 ]### [ . . . ] ###[ UDP ]### sport = 60806 dport = 15118 len = 18 chksum = 0xc9c7 ###[ SECC ]### Version = 1 Inversion = 254 SECCType = SECC_RequestMessage PayloadLen= 2 ###[ SECC_RequestMessage ]### SecurityProtocol= 16 TransportProtocol= 0 32

  39. SECC procedure (3) A fake station can craft an answer with fake host address and port: [ . . . ] ###[ SECC ]### Version = 1 Inversion = 254 SECCType = SECC_ResponseMessage PayloadLen= 20 ###[ SECC_ResponseMessage ]### TargetAddress= fe80 ::201:85 f f : fe13 :4311 TargetPort= 56330 SecurityProtocol= 16 TransportProtocol= 0 More stable than IPv6 neighbour spoofing attack 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Injector Design C.Y. Tan 01 Sep 2011 1 The Injector BNL (2009 line) FNAL Proposed 1 x 35

The Injector Design C.Y. Tan 01 Sep 2011 1 The Injector BNL (2009 line) FNAL Proposed 1 x 35

The Injector Design C.Y. Tan 01 Sep 2011 1 The Injector BNL (2009 line) FNAL Proposed 1 x 35 keV H- source (round 2 x 35 keV H- sources (round type) type) on a slide LEBT (~ 4 m) For redundancy Short LEBT (~118 cm)

579 views • 38 slides
The E RL Injector Project at Cornell University The E RL Injector Project at Cornell University

The E RL Injector Project at Cornell University The E RL Injector Project at Cornell University

The E RL Injector Project at Cornell University The E RL Injector Project at Cornell University Bruce Dunham For the Cornell ERL Team Jefferson Lab Sem inar Decem ber 4 , 2 0 0 7 2 CESR at Cornell B. Dunham Decem ber 4 , 2 0 0 7 Decem

797 views • 57 slides
Injector Linac Kazuro Furukawa, for e /e + Linac Group Present Status Upgrade in the Near

Injector Linac Kazuro Furukawa, for e /e + Linac Group Present Status Upgrade in the Near

SuperKEKB Injector Linac Injector Linac Kazuro Furukawa, for e /e + Linac Group Present Status Upgrade in the Near Future (Crystalline Target and Simultaneous Injection) C-band R&D towards SuperKEKB K.Furukawa, Apr.21.2005, Super

552 views • 19 slides
Status of the IASA Race Track Microtron Facility-the 10 MeV injector linac A. Karabarbounis UoA

Status of the IASA Race Track Microtron Facility-the 10 MeV injector linac A. Karabarbounis UoA

Status of the IASA Race Track Microtron Facility-the 10 MeV injector linac A. Karabarbounis UoA & IASA - Greece Jlab 2-24-03 www.iasa.gr Layout of the talk Presenting IASA The 10 MeV injector linac Accelerator

1.34k views • 86 slides
CW injector design studies at PITZ for European X-FEL Shankar Lal, Guan Shu, Hamed Shaker, Houjun

CW injector design studies at PITZ for European X-FEL Shankar Lal, Guan Shu, Hamed Shaker, Houjun

CW injector design studies at PITZ for European X-FEL Shankar Lal, Guan Shu, Hamed Shaker, Houjun Qian and Frank Stephan Photo Injector Test facility at DESY in Zeuthen (PITZ) Outline FLASH overview European X-FEL overview Photo

684 views • 25 slides
DEVELOPING PROCESSING ELECTRONICS FOR BPM PROTOTYPE AT THE AWA RF PHOTO- INJECTOR

DEVELOPING PROCESSING ELECTRONICS FOR BPM PROTOTYPE AT THE AWA RF PHOTO- INJECTOR

DEVELOPING PROCESSING ELECTRONICS FOR BPM PROTOTYPE AT THE AWA RF PHOTO- INJECTOR drhgfdjhngngfmhgmghmghjmghfmf CHUAN YIN High Energy Physics Division Argonne Wakefield Accelerator facility Mentor: John Power, Jiahang Shao, Chunguang Jing

490 views • 21 slides
Injector and Main Linac Fumio Furuta, Peter Quigley Cornell University ff97@cornell.edu,

Injector and Main Linac Fumio Furuta, Peter Quigley Cornell University ff97@cornell.edu,

Injector and Main Linac Fumio Furuta, Peter Quigley Cornell University ff97@cornell.edu, pgq1@cornell.edu CBETA Review, 27 July 2016 1/30 Outline Introduction Injector status Main Linac status Next steps ff97@cornell.edu,

958 views • 30 slides
TensorFI: A Configurable Fault Injector for TensorFlow Applications Guanpeng (Justin) Li, UBC

TensorFI: A Configurable Fault Injector for TensorFlow Applications Guanpeng (Justin) Li, UBC

TensorFI: A Configurable Fault Injector for TensorFlow Applications Guanpeng (Justin) Li, UBC Karthik Pattabiraman, UBC Nathan DeBardeleben, LANL 1 Motivation Machine learning taking computing by storm Many frameworks developed for ML

665 views • 20 slides
Experimental characterization of a microbubble injector Santiago Arias Technical University of

Experimental characterization of a microbubble injector Santiago Arias Technical University of

Experimental characterization of a microbubble injector Santiago Arias Technical University of Catalonia (UPC) ELGRA Biennial Symposium and General Assembly Microgravity group SENIORS: Jaume Casademunt IEEC-UB Ricard Gonzlez-Cinca

636 views • 14 slides
PIP-II Injector Test Warm Front End: Commissioning Update Lionel Prost In partnership with:

PIP-II Injector Test Warm Front End: Commissioning Update Lionel Prost In partnership with:

FERMILAB-SLIDES-18-100-AD PIP-II Injector Test Warm Front End: Commissioning Update Lionel Prost In partnership with: India/DAE 9 th International Particle Accelerator Italy/INFN Conference UK/STFC France/CEA/Irfu, CNRS/IN2P3 April 29

336 views • 20 slides
PARMELA modeling and beam-based measurements in the JLab Upgrade FEL injector Carlos

PARMELA modeling and beam-based measurements in the JLab Upgrade FEL injector Carlos

PARMELA modeling and beam-based measurements in the JLab Upgrade FEL injector Carlos Hernandez-Garcia and Kevin Beard CASA Beam Physics Seminar May 11 th 2006 Thomas Jefferson National Accelerator Facility FEL Operated by the Southeastern

786 views • 47 slides
High Brightness Injector Development and ERL Planning at Cornell Charlie Sinclair Cornell

High Brightness Injector Development and ERL Planning at Cornell Charlie Sinclair Cornell

High Brightness Injector Development and ERL Planning at Cornell Charlie Sinclair Cornell University Laboratory for Elementary-Particle Physics Background During 2000-2001, Cornell, with much help from JLab, prepared an NSF proposal to

724 views • 44 slides
Upgrade Injector Test Facility: UITF CEBAF related Why Build It? HDIce commissioning

Upgrade Injector Test Facility: UITF CEBAF related Why Build It? HDIce commissioning

Upgrade Injector Test Facility: UITF CEBAF related Why Build It? HDIce commissioning Bubble chamber physics with Bremsstrahlung x-rays: photo-disintegration of oxygen into helium and carbon In support of parity violation experiments,

597 views • 23 slides
LCLS-II Gun/Buncher LLRF for the Early Injector Commissioning G. Huang, A. Benwell, G. Brown, F.

LCLS-II Gun/Buncher LLRF for the Early Injector Commissioning G. Huang, A. Benwell, G. Brown, F.

LCLS-II Gun/Buncher LLRF for the Early Injector Commissioning G. Huang, A. Benwell, G. Brown, F. Wang, M. Dunning, R. Kelly, C. Adolphsen, F. Zhou LLRF 2019, Chicago Outline Introduction System design Bench test and System

957 views • 33 slides
Recent progress on R&D toward Neutral Beam Injector for ITER and JT-60SA Rapporteur; Hiroyuki

Recent progress on R&D toward Neutral Beam Injector for ITER and JT-60SA Rapporteur; Hiroyuki

Recent progress on R&D toward Neutral Beam Injector for ITER and JT-60SA Rapporteur; Hiroyuki TOBARI (Japan Atomic Energy Agency) (FIP/2-5Ra) Development of DC ultra-high voltage insulation technology for ITER NBI H. Tobari et al., (JAEA)

340 views • 18 slides
Epinephrine Auto-Injector for Anaphylaxis School Training This presentation meets training

Epinephrine Auto-Injector for Anaphylaxis School Training This presentation meets training

Epinephrine Auto-Injector for Anaphylaxis School Training This presentation meets training criteria for school staff. Upon completion on the Western Region Public Health Training Center site, you will receive a certificate. This presentation

668 views • 28 slides
REAPer Adaptive Micro-Source Energy-Harvester for Wireless Sensor Nodes SenseApp 2017 Ulf Kulau,

REAPer Adaptive Micro-Source Energy-Harvester for Wireless Sensor Nodes SenseApp 2017 Ulf Kulau,

REAPer Adaptive Micro-Source Energy-Harvester for Wireless Sensor Nodes SenseApp 2017 Ulf Kulau, Daniel Brckelmann, Felix Bsching, Sebastian Schildt and Lars Wolf, 09.10.2017 Technische Universitt Braunschweig, IBR Introduction and

724 views • 35 slides
Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph

Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph

Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph Citation => Published in volume 6 of the journal PLoS ONEs November 2011 edition => Authors: Yang Wang, Zengru Di, Ying Fan all from the

286 views • 25 slides
Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October

Mechanically checked proof on Dijkstras shortest path algorithm Qiang Zhang J Moore October 13, 2004 Oct. 13, 2004 p.1/42 Introduction Dijkstras shortest path algorithm: a classical algorithm to find the shortest path between two

529 views • 42 slides
Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI

Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI

Secure Systems Lab Technical University Vienna Effective and Efficient Malware Detection at the End Host Clemens KOLBITSCH, Paolo MILANI COMPARETTI, Engin KIRDA, Christopher KRUEGEL, Xiaoyong ZHOU, XiaoFeng WANG ck@iseclab.org Secure Systems

446 views • 43 slides
Self-stabilization and expansion of a simple dynamic random graph model for Bitcoin-like

Self-stabilization and expansion of a simple dynamic random graph model for Bitcoin-like

Self-stabilization and expansion of a simple dynamic random graph model for Bitcoin-like unstructured P2P networks Francesco Pasquale based on a joint work with L. Becchetti , A. Clementi , E. Natale , and L. Trevisan

658 views • 48 slides
Broadening the Differential: Disclosures Spine and Lower Extremity Injuries in the Young Athlete

Broadening the Differential: Disclosures Spine and Lower Extremity Injuries in the Young Athlete

Broadening the Differential: Disclosures Spine and Lower Extremity Injuries in the Young Athlete - Consultant - Orthopediatrics - Committee Member POSNA Dr. Nirav K. Pandya Assistant Professor of Orthopaedic Surgery Director, Pediatric

513 views • 24 slides
Common Lower Extremity Disclosures Injuries in the Young Athlete - Consultant - Orthopediatrics

Common Lower Extremity Disclosures Injuries in the Young Athlete - Consultant - Orthopediatrics

Common Lower Extremity Disclosures Injuries in the Young Athlete - Consultant - Orthopediatrics - Committee Member POSNA Dr. Nirav K. Pandya Associate Professor of Orthopaedic Surgery Director, Pediatric Sports Medicine UCSF Benioff

417 views • 19 slides
Exploring Delta Morphodynamics Using the CSDMS BMI to Couple Fluvial and Coastal Processes

Exploring Delta Morphodynamics Using the CSDMS BMI to Couple Fluvial and Coastal Processes

Exploring Delta Morphodynamics Using the CSDMS BMI to Couple Fluvial and Coastal Processes Katherine Ratliff US EPA Office of Research and Development Center for Environmental Solutions and Emergency Response ratliff.Katherine@epa.gov Why

499 views • 20 slides

More recommend