当前位置:首页 > 报告详情

提斯·阿尔克马德与哈立德·纳赛尔与丹·库珀_从低能量到高能量黑客入侵附近的蓝牙EV充电器.pdf

上传人: 张** 编号:175540 2024-09-13 96页 6.08MB

1、Low Energy to High Energy:Hacking Nearby EV-Chargers Over BluetoothThijs Alkemade&Khaled Nassar Computest Sector 7Introduction1.Be in Bluetooth/WiFi range 2.?3.Execute arbitrary code on the chargerAbout usWe are:Khaled Nassar notkmhn Thijs Alkemade infosec.exchange/xnyhps Daan Keuper daankeuper Work

2、ing for Computest in The NetherlandsPwn2Own AutomotivePwn2Own Automotive First time January 2024 in Tokyo In scope:Tesla Infotainment systems Automotive operating systems EV chargersEV chargersLevel 2 chargers Targeted at the home market All of them come with these features Connectivity(WiFi/Etherne

3、t)Scheduling Usage monitoringEV chargersInitially,we thought chargers would be well secured:New product category Limited communication interfaces Safety regulationsSmart EV Charging Station with WiFiJuiceBox 40JuiceBox 40BLE(provisioning)WiFiJuiceBox 40Based on the Zentri IoT platform AMW006 or WGM1

4、60P module Both are ARM Cortex-M4 based MCUs Gecko OS 4.2.7(?)There is an admin interface,with some commands?Accessible in setup mode over HTTP And accessible during standard operation over port 2000,telnet style!No authenticationZentri DMSManaged IoT platform Specific hardware modules,providing Upd

5、ate management Device identification and authn,z Core OS+SDK bindings for app development Extensive APIZentri DMSJuiceBox runs on an RTOS called“Gecko OS”Note:this OS is EOL!Firmware blobs are downloadable!We could investigate these before the device arrivedJuiceBox 40(CVE-2024-23938)Gecko OS logs m

6、essages when certain events occur It is possible to change the format of these messages using a set variable command Limited to 32 characters per message template including a terminating NULL byte Support for different formatting tags per event typeJuiceBox 40(CVE-2024-23938)char scratch_buffer132;c

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,本文主要介绍了通过蓝牙攻击附近的电动汽车充电器的方法。主要内容包括: 1. 介绍了电动汽车充电器的特点,包括连接性(WiFi/以太网)、调度和监控功能。 2. 详细分析了JuiceBox 40和Autel MaxiCharger两款充电器的漏洞,包括缓冲区溢出、认证后门和命令注入等。 3. 讨论了这些漏洞可能带来的影响,包括本地网络访问、绕过安全控制、欺诈和大规模干扰电网等。 4. 提出了硬件安全研究的一些建议,包括获取固件、探索调试功能、建立远程访问的测试环境等。 5. 强调了在设计阶段就应考虑重新配置过程的安全性,以及利用蓝牙等非网络攻击面的重要性。 6. 最后,文章还提到了ChargePoint Home Flex充电器中一个有趣的SSH后门,允许攻击者建立反向隧道。
如何通过蓝牙破解附近的电动车充电器? 电动车充电器存在哪些安全漏洞? 如何利用电动车充电器的漏洞进行攻击?
客服
商务合作
小程序
服务号
折叠