-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
255 lines (247 loc) · 18.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
<!doctype html>
<html>
<head>
<title>Brokenwire Attack</title>
<meta charset="UTF-8">
<link rel="icon" type="image/png" href="images/logo.svg">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="stylesheet" href="https://unpkg.com/purecss@2.0.6/build/pure-min.css" integrity="sha384-Uu6IeWbM+gzNVXJcM9XV3SohHtmWE+3VGi496jvgX1jyvDTXfdK+rfZc8C1Aehk5" crossorigin="anonymous">
<link rel="stylesheet" href="https://unpkg.com/purecss@2.0.6/build/grids-responsive-min.css" />
<link rel="stylesheet" type="text/css" href="brokenwire.css">
<link rel="stylesheet" type="text/css" crossorigin="anonymous" href="https://fonts.googleapis.com/css?family=Montserrat:100,300,400,500,600">
</head>
<body>
<div class="main">
<div class="header">
<img class="logo" src="images/logo.svg"></img>
<h1><span class="emphasized">Broken</span><span class="coloured">wire</span></h1>
<h2>Vulnerability in the Combined Charging System for Electric Vehicles</h2>
</div>
<div class="content">
<p>
<span class="emphasized">Brokenwire</span> is a novel attack against the <span class="emphasized">Combined Charging System (CCS)</span>, one of the most widely used DC rapid charging technologies for electric vehicles (EVs).
The attack interrupts necessary control communication between the vehicle and charger, <span class="emphasized">causing charging sessions to abort</span>.
The attack can be conducted <span class="emphasized">wirelessly from a distance</span> using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.
In addition, the attack can be mounted with off-the-shelf radio hardware and minimal technical knowledge.
With a power budget of 1 W, the attack is successful from around <span class="emphasized">47 m</span> distance.
The <span class="emphasized">exploited CSMA/CA behavior</span> is a required part of the HomePlug GreenPHY, DIN 70121 & ISO 15118 standards and all known implementations exhibit it.
</p>
<p>
Brokenwire has immediate implications for many of the <span class="emphasized">12 million</span> battery EVs estimated to be on the roads worldwide — and profound effects on the new wave of electrification for vehicle fleets, both for private enterprise and for crucial public services.
In addition to electric cars, Brokenwire affects <span class="emphasized">electric ships, airplanes and heavy duty vehicles</span>.
As such, we conducted a disclosure to industry and discuss in our paper a range of mitigation techniques that could be deployed to limit the impact.
</p>
<div class="action-grid">
<div class="pure-g">
<div class="l-box pure-u-1" onclick="window.open('https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s251_paper.pdf', '_blank');">
<div class="icon_text_container">
<img id="list-icon" src="images/pdf_border.png">
<p class="action-item-text">Download</p>
</div>
<p>You can download the full paper from the NDSS website.</p>
</div>
<div class="divider"></div>
<div class="l-box pure-u-1" onclick="window.open('brokenwire.bib', '_blank');">
<div class="icon_text_container">
<img id="list-icon" src="images/cite_border.png">
<p class="action-item-text">Cite us</p>
</div>
<p>You want to cite our work? Great! Here you can find the bib-file.</p>
</div>
<div class="divider_horizontal"></div>
<div class="l-box pure-u-1" onclick="window.open('https://github.com/ssloxford/brokenwire', '_blank');">
<div class="icon_text_container">
<img id="list-icon" src="images/github_border.png">
<p class="action-item-text">Get the code</p>
</div>
<p>Our attack and evaluation source code are available on GitHub.</p>
</div>
<div class="divider"></div>
<div class="l-box pure-u-1" onclick="location.href='mailto:info@brokenwire.fail'">
<div class="icon_text_container">
<img id="list-icon" src="images/contact_us_border.png">
<p class="action-item-text">Get in touch</p>
</div>
<p>If you have any questions, feel free to reach out to us.</p>
<a href="files/info@brokenwire.fail-pubkey.asc" onclick="event.stopImmediatePropagation();" class="coloured_link">PGP Key</a> <!--onclick to prevent the email link triggering as well-->
</div>
</div>
</div>
<h3>Background</h3>
<p>
The charging technology standardized as the Combined Charging System (CCS) — the name presented to a vehicle user — is in fact a collection of multiple technical standards.
During the charging session, the Electric Vehicle (EV) and the Electric Vehicle Supply Equipment (EVSE) exchange important messages, such as the State of Charge (SoC) and the maximum possible current.
The high-bandwidth IP link used for the communication is provided by the HomePlug GreenPHY (HPGP) power-line communication (PLC) technology.
Depending on the geographical region, CCS uses different plug types which are illustrated in Figure 1.
Nevertheless, the underlying technology is the same.
</p>
<div class="pure-g">
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-a" src="images/ccs_combo1.jpg">
<p class="subfigure-caption">(a) CCS Combo 1 (US).</p>
</div>
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-b" src="images/ccs_combo2.jpg">
<p class="subfigure-caption">(b) CCS Combo 2 (EU).</p>
</div>
<div class="figure-1-2 pure-u-1">
<a class="figure-caption">Figure 1: The two different plug layouts used by CCS in North America (Combo 1) and Europe (Combo 2) respectively.</a>
</div>
</div>
<h3>Attack Details</h3>
<p>
<p>
The Brokenwire attack exploits the Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) mechanism that is required to be present in any standard-compliant implementation. The CSMA-CA behaviour is repeatedly triggered such that neither vehicle (EV) nor charger (EVSE) ever have an opportunity to transmit.
While this action alone could prevent communication indefinitely, it only needs to be applied for a few seconds in order to trigger a timeout in the higher layers of the communication protocol (e.g. ISO 15118).
At this point, the entire charging process is aborted and the attacker can stop broadcasting, making it only necessary to have temporary physical proximity to the victim.
</p>
<h4>Exploiting CSMA/CA</h4>
<p>
The public HomePlug GreenPHY standard defines Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA) as a channel access method.
If a node wishes to transmit a message, it will check for other nodes already transmitting.
In case an ongoing transmission is detected, the node will wait for a short, random period of time before attempting to transmit again.
This process is repeated indefinitely, until the transmission medium is idle, and the message can be transmitted.
<br>
The Brokenwire attack exploits this channel access mechanism to force the PLC modems at both nodes to endlessly back off and stop communicating.
The attacker continuously transmits a recognizable signal, in this case a preamble, convincing any listening nodes that the channel is busy.
The transmission is repeated indefinitely, such that both modems continue to wait and cannot transfer any data.
</p>
<h4>Generating an Attack Signal</h4>
<p>
In HPGP, the preamble is used to mark the beginning of a frame, to synchronize the receiver's clock with the transmitter and to permit channel state estimation.
All frames begin with a standard HPGP preamble, which is sufficient to trigger the CSMA/CA mechanism in nodes that receive it.
As such, Brokenwire uses a preamble waveform as an attack signal.
The preamble is defined in the standard as a concatenation of repeated preamble symbols, each generated as follows:
<div class="pure-g">
<img style="margin-left: auto; margin-right: auto; width: 20em" src="images/preamble_generation.jpg">
</div>
where t is the preamble sample time step (for 0 ≤ t ≤ 384-1), C is the set of unmasked subcarriers, c is the subcarrier index and ψ is a function mapping subcarriers to specific phase offsets defined in the standard.
</p>
<h4>Injecting the Attack Signal</h4>
<p>
As shown by Baker et al., the charging cable acts as an unintentional antenna that leads to electromagnetic emanation.
At the same time, this phenomenon makes the charging cable susceptible to electromagnetic interference.
Since the cable is unshielded, electromagnetic waves can easily couple onto the wires within it.
While the PLC uses differential signaling over two wires, any asymmetries in the two pathways lead to some signal still being retained.
By transmitting the attack signal over-the-air, an attacker can therefore cause sufficient coupling on the charging cable of a victim EVSE for it to correctly detect the injected preambles.
</p>
</p>
<h3>Attack Evaluation</h3>
<h4>Method</h4>
<p>
We evaluated the attack in a lab environment under controlled settings for different distances between the charging cable and the attacker.
Our testbed was composed of the same HPGP modems found in most EVs and charging stations.
On the attacker side, we used a software-defined radio (LimeSDR) together with a 1 W RF amplifier and a self-made dipole antenna.
In addition, we tested the attack in a real-world study on eight vehicles from different manufacturers and 20 DC high-power chargers.
</p>
<h4>Results</h4>
<p>
Figure 2 illustrates the results of our lab experiments.
Our results indicate that off-the-shelf equipment is sufficient to execute the attack from up to 10 m away.
With additional amplification and a total power budget of 1 W, we demonstrated the attack in real-world settings from around 47 m away.
</p>
<div class="pure-g">
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-1" src="images/power_vs_distance_dBm.jpg">
<p class="subfigure-caption">(a) Results in dBm.</p>
</div>
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-1" src="images/power_vs_distance_mW.jpg">
<p class="subfigure-caption">(b) Results in mW.</p>
</div>
<div class="figure-1-2 pure-u-1">
<a class="figure-caption">Figure 2: Results of the distance experiments in lab conditions. Minimum power required to cause a packet loss of 100%.</a>
</div>
</div>
<h3>Attack Demonstration</h3>
<div class="pure-g">
<div class="figure-1-2 pure-u-1">
<video width="100%" controls>
<source src="images/charger_1_cropped.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<a class="figure-caption">Video 1: Demonstration of the attack on a CCS HPC charger. The vehicle is charging without any issues, but stops as soon as the malicious signal is emitted.</a>
</div>
<div class="spacer"></div>
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-1" src="images/charger_1.jpg">
<p class="subfigure-caption">(a) Charger 1.</p>
</div>
<div class="subfigure-1-2 pure-u-1-2">
<img class="figure-1-1" src="images/charger_2.jpg">
<p class="subfigure-caption">(b) Charger 2.</p>
</div>
<div class="figure-1-2 pure-u-1">
<a class="figure-caption">Figure 3: Error messages shown by the different charging stations we tested. The charging was working without issues, but as soon as the malicious signal was transmitted, the charging stopped.</a>
</div>
<div class="figure-1-2 pure-u-1">
<video width="100%" controls>
<source src="images/drive_by.mp4" type="video/mp4">
Your browser does not support the video tag.
</video>
<a class="figure-caption">Video 2: Demonstration of the drive-by attack.</a>
</div>
</div>
<h3>Questions & Answers</h3>
<div class="qa-grid pure-g">
<div class="pure-u-1">
<p class="qa-header">Why would anyone want to disrupt the charging session?</p>
<p class="qa-text">While it may only be an inconvenience for individuals, interrupting the charging process of critical vehicles, such as electric ambulances, can have life-threatening consequences.</p>
</div>
<div class="pure-u-1">
<p class="qa-header">Is my car affected?</p>
<p class="qa-text">Potentially! If your car has a charging port that looks like the one depicted in Figure 1, it is highly likely that the attack also works on your car.</p>
</div>
<div class="pure-u-1">
<p class="qa-header">I have a charger at home, can someone stop my car from charging?</p>
<p class="qa-text">Probably not. Most likely your home charger uses AC charging and a different communication standard (IEC 61851), so won't be affected. This might change in the future though, with home chargers getting ISO 15118 support.</p>
</div>
<div class="pure-u-1">
<p class="qa-header">Can Brokenwire also break my car?</p>
<p class="qa-text">We've never seen any evidence of long-term damage caused by the Brokenwire attack. Based on our development work, we also have good reason to expect there isn't any.</p>
</div>
<div class="pure-u-1">
<p class="qa-header">What can I do to prevent someone from interrupting my charging session?</p>
<p class="qa-text">Right now, the only way to prevent the attack is not to charge on a DC rapid charger.</p>
</div>
<div class="pure-u-1">
<p class="qa-header">Wouldn't it be easier to just press the emergency cutout switch or damage the cable?</p>
<p class="qa-text">It depends on the situation. Brokenwire does not require physical access and can disrupt the charging of multiple cars at once from several meters away, making it a stealthy and scalable attack.</p>
</div>
</div>
<h3>Contributors</h3>
<div class="pure-g">
<div class="contributor_item" onclick="window.open('https://cs.ox.ac.uk/people/sebastian.kohler', '_blank');">
<p class="contributer_name">Sebastian Köhler<sup>†</sup></p>
<p class="contributer_university">University of Oxford</p>
</div>
<div class="contributor_item" onclick="window.open('https://cs.ox.ac.uk/people/richard.baker', '_blank');">
<p class="contributer_name">Richard Baker<sup>†</sup></p>
<p class="contributer_university">University of Oxford</p>
</div>
<div class="contributor_item" onclick="window.open('https://cs.ox.ac.uk/people/martin.strohmeier', '_blank');">
<p class="contributer_name">Martin Strohmeier</p>
<p class="contributer_university">armasuisse S+T</p>
</div>
<div class="contributor_item" onclick="window.open('https://cs.ox.ac.uk/people/ivan.martinovic', '_blank');">
<p class="contributer_name">Ivan Martinovic</p>
<p class="contributer_university">University of Oxford</p>
</div>
</div>
<p class="contributions_footnote"><sup>†</sup>Both authors contributed equally to this research.</p>
<h5>Ethical Considerations</h5>
<p class="acknowledgements">
Given the nature of the infrastructure under investigation, we collaborated with several government entities for our evaluation.
We further took precautions to limit any risk of unintentional effects from our testing.
We selected only test sites for which no other charging parks were within a reasonable range.
We only executed the attack when no other vehicles were charging and could immediately abort the experiments if the conditions became uncontrolled.
Outside our closed laboratory sites, we were limited to a maximum output power of 1 W to ensure our attack signal was compliant with all national transmission regulations.
</p>
<h5>Acknowledgements</h5>
<p class="acknowledgements">We are grateful for the support from armasuisse S+T and EWZ (Elektrizitätswerk der Stadt Zürich).</p>
</div>
<div class="footer">
<a class="footer-text">© 2024 Systems Security Lab. All rights reserved.</a>
</div>
</div>
</body>