Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.
之前,我们研究了 ChargePoint Home Flex EV 充电器的攻击面——这是即将到来的 Pwn2Own Automotive 竞赛的目标之一。在这篇文章中,我们看看另一个电动汽车充电器的攻击面。Ubiquiti Connect EV Station 是一款专为组织设计的防风雨 2 级电动汽车充电站。我们涵盖了威胁参与者在试图破坏设备时会探索的最明显的领域。
The Ubiquiti Connect EV Station is a Level 2 charging station for electric vehicles. The EV Station is meant to be managed by a Ubiquiti management platform running the UniFi OS Console, such as the Ubiquiti Dream Machine or Cloud Gateway. Users can also use the iOS or Android UniFi Connect mobile apps to configure the EV Station.
Ubiquiti Connect EV Station 是电动汽车的 2 级充电站。EV Station 将由运行 UniFi OS 控制台的 Ubiquiti 管理平台进行管理,例如 Ubiquiti Dream Machine 或 Cloud Gateway。用户还可以使用 iOS 或 Android UniFi Connect 移动应用程序来配置 EV Station。
Attack Surface Summary 攻击面摘要
The Ubiquiti EV Station is an Android device. In this respect, it is unique amongst the electric vehicle chargers included as target devices in Pwn2Own Automotive 2024.
Ubiquiti EV Station 是一款 Android 设备。在这方面,它在 Pwn2Own Automotive 2024 中作为目标设备包含的电动汽车充电器中是独一无二的。
Trend Micro researchers observed the UART port of the device during power-up. The Ubiquiti EV Station employs a Qualcomm APQ8053 SoC as the primary CPU. The Android operating system boots and emits boot messages on the UART serial port located inside the device housing. The following areas are confirmed and represent a potential attack surface on the device:
趋势科技研究人员在上电期间观察了设备的 UART 端口。Ubiquiti EV Station 采用高通 APQ8053 SoC 作为主 CPU。Android 操作系统在位于设备外壳内的 UART 串行端口上启动并发出启动消息。以下区域已确认,并表示设备上的潜在攻击面:
· Android OS · Android操作系统
· USB · USB接口
o Android USB debugging might be possible
o Android USB调试可能是可能的
· Ubiquiti Connect mobile applications
· Ubiquiti Connect 移动应用程序
· Network attack surface
· 网络攻击面
o Wi-Fi, including Wi-Fi driver
o Wi-Fi,包括 Wi-Fi 驱动程序
o Ethernet / Local IP networking
o 以太网/本地 IP 网络
§ Realtek
§ 瑞昱
o Multicast IP networking
o 组播 IP 网络
§ UDP port 10001
§ UDP 端口 10001
· Bluetooth Low Energy (BLE) 4.2
· 低功耗蓝牙 (BLE) 4.2
· Near Field Communication (NFC)
· 近场通信 (NFC)
Ubiquiti EV Station Documentation
Ubiquiti EV Station 文档
Documentation for the Ubiquiti EV Station provides only high-level information about the installation and operation of the device. Additional documentation can be found at:
Ubiquiti EV Station 的文档仅提供有关设备安装和操作的高级信息。其他文档可在以下位置找到:
· Ubiquiti EV Station product page
· Ubiquiti EV Station 产品页面
· Ubiquiti EV Station technical specifications
· Ubiquiti EV Station 技术规格
· Ubiquiti EV Station installation guide
· Ubiquiti EV Station 安装指南
· UniFi Connect iOS application
· UniFi Connect iOS 应用程序
· UniFi Connect Android application
· UniFi Connect Android 应用程序
Ubiquiti EV Station Hardware Analysis
Ubiquiti EV Station 硬件分析
Ubiquiti provides high-level technical specifications for the EV Station on their website. Trend Micro researchers have performed an analysis of the discrete hardware devices found in the EV Station. The following list summarizes the components Trend Micro research have identified as notable components and/or potential attack surface in the Ubiquiti EV Station.
Ubiquiti 在其网站上提供了 EV Station 的高级技术规格。趋势科技研究人员对 EV Station 中的离散硬件设备进行了分析。以下列表总结了趋势科技研究确定为 Ubiquiti EV Station 中值得注意的组件和/或潜在攻击面的组件。
• Qualcomm APQ8053 SoC
• 高通APQ8053 SoC
• Nuvoton M482LGCAE (ARM)
• 新唐M482LGCAE (ARM)
• Samsung KMQX60013A-B419 DRAM / NAND
• 三星 KMQX60013A-B419 DRAM / NAND
• Realtek RTL8153-BI Ethernet controller
• Realtek RTL8153-BI 以太网控制器
• Qualcomm WCN3680B (Wi-Fi)
• 高通WCN3680B (Wi-Fi)
• NXP PN71501 (NFC)
• 恩智浦PN71501 (NFC)
• TI USB 4 Port Hub – TUSB2046BI
• TI USB 4 端口集线器 – TUSB2046BI
• Qualcomm PMI8952 (PMIC)
• 高通PMI8952 (PMIC)
• Qualcomm PM8953 (PMIC)
• 高通 PM8953 (PMIC)
• UART DEBUG port
• UART 调试端口
• USB C port • USB C 端口
Figure 1 below is an overview of the main CPU board of the Ubiquiti EV Station. The board has several collections of highly integrated components, each one isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.
下图 1 是 Overview 的 Ubiquiti EV Station 主 CPU 板。该板具有多个高度集成的组件集合,每个组件都隔离在电路板上自己的专用封装内。PCB 的每个区域似乎都专用于分立功能,例如带 RAM 和闪存的 CPU、Wi-Fi、NFC、以太网、USB 和显示器。
In the center of the board sits the Qualcomm APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.
主板中央是高通APQ8053和三星KMQX60013A-B419组合DRAM和NAND控制器。它们代表设备的主要应用处理器,以及设备的 RAM 和闪存。它们在 PCB 丝印上标记为 U5。
Three connectors reside just beneath this section of the PCB. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquiti EV Station upon startup. In the center is a USB-C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.
三个连接器位于 PCB 的这一部分下方。标记为 JDB2 和 UART DEBUG 的连接器在启动时从 Ubiquiti EV Station 发出启动消息。中间是一个标有 J20 的 USB-C 连接器。右边是一个标有 J28 的两针连接器。此连接器的功能尚不清楚。
In the top center of the following image is an unpopulated component marked U20. It is possible this is an unpopulated footprint for a cellular communication module.
下图的顶部中心是一个标记为 U20 的未填充组件。这可能是蜂窝通信模块的未填充占用空间。
Figure 1 – Overview image of the main PCB of the Ubiquiti EV Station
图 1 – Ubiquiti EV Station 主 PCB 的概览图像
The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquiti EV Station:
下图显示了 Ubiquiti EV Station 内的 Qualcomm CPU 以及相关的 RAM 和 NAND 闪存芯片:
Figure 2 – Detail image of the EV Station Qualcomm APQ8053 SoC, Samsung KMQX60013A-B419 DRAM / NAND and UART Debug Port
图2 – 评估站Qualcomm APQ8053 SoC、Samsung KMQX60013A-B419 DRAM / NAND和UART调试端口的细节图像
In the following image, the PCB shows a stencil marked ‘J23.’ Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.
在下图中,PCB 显示了标有“J23”的模板。趋势科技研究人员努力发现此标头的连接位置。他们推测,J23中的过孔可能连接到电路板上的调试接口。经过进一步检查,他们确定 J23 上的过孔连接到标记为 U20 的未填充设备。
Figure 3 – Detail image of the EV Station Realtek RTL8153-BI Ethernet controller
图3 – 评估站Realtek RTL8153-BI以太网控制器的细节图像
Network Analysis. 网络分析。
The device can connect to local networks over both Wi-Fi and Ethernet. Trend Micro researchers connected the EV Station to a test Ethernet network to investigate the network attack surface prior to associating the EV Station to a Ubiquiti UniFi Console.
该设备可以通过 Wi-Fi 和以太网连接到本地网络。趋势科技研究人员将 EV Station 连接到测试以太网,以调查网络攻击面,然后再将 EV Station 关联到 Ubiquiti UniFi 控制台。
In an unconfigured state, the EV Station does not listen on any TCP ports. The EV Station sends out regular probes looking for HTTP proxies on TCP port 8080.
在未配置状态下,EV Station不监听任何TCP端口。EV Station 会定期发送探测,在 TCP 端口 8080 上查找 HTTP 代理。
Additionally, the Ubiquiti EV Station attempts to join an IGMP group using IP address 233.89.188.1. The EV Station sends packets to this address on UDP port 10001. The EV Station communicates on this port using the protocol that has been called the ‘UBNT Discovery Protocol.’ This protocol identifies the device model, firmware, and other information.
此外,Ubiquiti EV Station 尝试使用 IP 地址 233.89.188.1 加入 IGMP 组。EV Station 通过 UDP 端口 10001 向该地址发送数据包。EV Station使用称为“UBNT Discovery Protocol”的协议在此端口上进行通信。此协议标识设备型号、固件和其他信息。
The following hex data shows an Ethernet frame, IP packet, and UDP datagram that encapsulate the UBNT discovery packet. The UBNT discovery data begins at offset 0x2A.
以下十六进制数据显示封装 UBNT 发现数据包的以太网帧、IP 数据包和 UDP 数据报。UBNT 发现数据从偏移量 0x2A 开始。
Bluetooth LE Analysis 低功耗蓝牙分析
In the unconfigured state, the Ubiquiti EV Station Bluetooth LE interface acts as a BLE peripheral device. Using a BLE scanning tool, the Trend Micro researchers observed the following Bluetooth LE endpoints on the EV Station.
在未配置状态下,Ubiquiti EV Station Bluetooth LE 接口充当 BLE 外围设备。使用 BLE 扫描工具,趋势科技研究人员在 EV Station 上观察到以下 Bluetooth LE 端点。
The device set its BLE name to QCOM-BTD, which appears to be a default Qualcomm configuration. There is a single BLE service defined. This service exports three characteristics: one characteristic is read-only, one is notify-only, and one allows read, write, and notify operations.
设备将其 BLE 名称设置为 QCOM-BTD,这似乎是默认的高通配置。定义了单个 BLE 服务。此服务导出三个特征:一个特征是只读的,一个特征是只通知的,一个特征允许读取、写入和通知操作。
Further analysis of the EV Station file system shows native code libraries responsible for the observed behavior. Additional investigation into these libraries may prove fruitful for contestants.
对 EV Station 文件系统的进一步分析显示,负责观察到的行为的原生代码库。对这些图书馆的进一步调查可能会对参赛者产生丰硕的成果。
Additional information about expected BLE functionality can also be understood via analysis of the mobile applications. Trend Micro researchers performed reverse engineering of the UniFi Connect Android app and found code meant to communicate with the device over BLE. However, the discovered BLE characteristics present in the Android application do not match those broadcast by the EV Station. It is possible that after fully setting up the EV Station, the BLE stack may be reconfigured to match the expected BLE endpoints.
有关预期 BLE 功能的其他信息也可以通过对移动应用程序的分析来了解.趋势科技研究人员对 UniFi Connect Android 应用程序进行了逆向工程,并找到了旨在通过 BLE 与设备通信的代码。但是,Android 应用程序中发现的 BLE 特性与 EV Station 广播的特性不匹配。在完全设置 EV Station 后,可以重新配置 BLE 堆栈以匹配预期的 BLE 端点。
Future potential analysis
未来潜力分析
To mount a successful attempt against the Ubiquiti EV Station at Pwn2Own Automotive in Tokyo, contestants will need to perform additional analysis of the device to determine potential weaknesses. Trend Micro research has analyzed the Samsung KMQX60013A-B419 DRAM / NAND device by extracting it from the EV Station. This combination DRAM and NAND flash device contains the storage that supports the functionality of the EV Station.
为了在东京的Pwn2Own Automotive上成功尝试Ubiquiti EV站,参赛者需要对设备进行额外的分析,以确定潜在的弱点。趋势科技研究通过从评估站中提取三星 KMQX60013A-B419 DRAM / NAND 设备对其进行了分析。这种DRAM和NAND闪存器件的组合包含支持EV Station功能的存储设备。
As previously mentioned, the Ubiquiti EV Station runs the Android operating system. The EV Station flash contains numerous partitions. Using standard Linux tools, Trend Micro researchers identified several potential partitions. Some of these are real partitions and some appear to be false-positive detections by various tools. Several partitions have been verified and investigated. The following list shows the output produced on a Linux system using the `parted` command listing the partitions on the NAND flash device.
如前所述,Ubiquiti EV Station 运行 Android 操作系统。EV Station 闪存包含多个分区。使用标准的 Linux 工具,趋势科技研究人员确定了几个潜在的分区。其中一些是真实的分区,而另一些似乎是各种工具的误报检测。已经验证和调查了几个分区。以下列表显示了在 Linux 系统上使用“parted”命令生成的输出,该命令列出了 NAND 闪存设备上的分区。
Trend Micro researchers used several methods for identifying partition data and mounting the partitions on the NAND flash device. The following command shows one method for mounting the system_a partition. Once the partition is mounted, a typical Android OS system partition is discovered.
趋势科技研究人员使用了多种方法来识别分区数据并将分区挂载到 NAND 闪存设备上。以下命令显示了一种挂载 system_a 分区的方法。挂载分区后,将发现一个典型的 Android 操作系统系统分区。
Extracting the data from flash storage is the first step to performing the analysis necessary to discover vulnerabilities that might be present in the Ubiquiti EV Station.
从闪存中提取数据是执行必要分析的第一步,以发现 Ubiquiti EV Station 中可能存在的漏洞。
Summary 总结
While these may not be the only attack surfaces available on the Ubiquiti EV Station, they represent the most likely avenues a threat actor may use to exploit the device. We’ve already heard from several researchers who intend to register in the EV Charger category, so we’re excited to see their findings displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
虽然这些可能不是 Ubiquiti EV Station 上唯一可用的攻击面,但它们代表了威胁行为者可能用来利用该设备的最可能途径。我们已经收到了几位打算在电动汽车充电器类别中注册的研究人员的消息,因此我们很高兴看到他们的研究结果在活动期间在东京展出。请继续关注博客,了解其他设备的攻击面评论,如果您好奇,可以查看比赛中包含的所有设备。在此之前,请在 Twitter、Mastodon、LinkedIn 或 Instagram 上关注该团队,了解最新的漏洞利用技术和安全补丁。
原文始发于Todd Manning:ATTACK SURFACE OF THE UBIQUITI CONNECT EV STATION
相关文章
