Attack Surface of the Ubiquiti Connect EV Station
December 05, 2023 | Todd ManningPreviously, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.
The Ubiquiti Connect EV Station is a Level 2 charging station for electric vehicles. The EV Station is meant to be managed by a Ubiquiti management platform running the UniFi OS Console, such as the Ubiquiti Dream Machine or Cloud Gateway. Users can also use the iOS or Android UniFi Connect mobile apps to configure the EV Station.
Attack Surface Summary
The Ubiquiti EV Station is an Android device. In this respect, it is unique amongst the electric vehicle chargers included as target devices in Pwn2Own Automotive 2024.
Trend Micro researchers observed the UART port of the device during power-up. The Ubiquiti EV Station employs a Qualcomm APQ8053 SoC as the primary CPU. The Android operating system boots and emits boot messages on the UART serial port located inside the device housing. The following areas are confirmed and represent a potential attack surface on the device:
· Android OS
· USB
o Android USB debugging might be possible
· Ubiquiti Connect mobile applications
· Network attack surface
o Wi-Fi, including Wi-Fi driver
o Ethernet / Local IP networking
§ Realtek
o Multicast IP networking
§ UDP port 10001
· Bluetooth Low Energy (BLE) 4.2
· Near Field Communication (NFC)
Ubiquiti EV Station Documentation
Documentation for the Ubiquiti EV Station provides only high-level information about the installation and operation of the device. Additional documentation can be found at:
· Ubiquiti EV Station product page
· Ubiquiti EV Station technical specifications
· Ubiquiti EV Station installation guide
· UniFi Connect iOS application
· UniFi Connect Android application
Ubiquiti EV Station Hardware Analysis
Ubiquiti provides high-level technical specifications for the EV Station on their website. Trend Micro researchers have performed an analysis of the discrete hardware devices found in the EV Station. The following list summarizes the components Trend Micro research have identified as notable components and/or potential attack surface in the Ubiquiti EV Station.
• Qualcomm APQ8053 SoC
• Nuvoton M482LGCAE (ARM)
• Samsung KMQX60013A-B419 DRAM / NAND
• Realtek RTL8153-BI Ethernet controller
• Qualcomm WCN3680B (Wi-Fi)
• NXP PN71501 (NFC)
• TI USB 4 Port Hub - TUSB2046BI
• Qualcomm PMI8952 (PMIC)
• Qualcomm PM8953 (PMIC)
• UART DEBUG port
• USB C port
Figure 1 below is an overview of the main CPU board of the Ubiquiti EV Station. The board has several collections of highly integrated components, each one isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.
In the center of the board sits the Qualcomm APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.
Three connectors reside just beneath this section of the PCB. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquiti EV Station upon startup. In the center is a USB-C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.
In the top center of the following image is an unpopulated component marked U20. It is possible this is an unpopulated footprint for a cellular communication module.
Figure 1 - Overview image of the main PCB of the Ubiquiti EV Station
The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquiti EV Station:
Figure 2 - Detail image of the EV Station Qualcomm APQ8053 SoC, Samsung KMQX60013A-B419 DRAM / NAND and UART Debug Port
In the following image, the PCB shows a stencil marked ‘J23.’ Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.
Figure 3 - Detail image of the EV Station Realtek RTL8153-BI Ethernet controller
Network Analysis.
The device can connect to local networks over both Wi-Fi and Ethernet. Trend Micro researchers connected the EV Station to a test Ethernet network to investigate the network attack surface prior to associating the EV Station to a Ubiquiti UniFi Console.
In an unconfigured state, the EV Station does not listen on any TCP ports. The EV Station sends out regular probes looking for HTTP proxies on TCP port 8080.
Additionally, the Ubiquiti EV Station attempts to join an IGMP group using IP address 233.89.188.1. The EV Station sends packets to this address on UDP port 10001. The EV Station communicates on this port using the protocol that has been called the ‘UBNT Discovery Protocol.’ This protocol identifies the device model, firmware, and other information.
The following hex data shows an Ethernet frame, IP packet, and UDP datagram that encapsulate the UBNT discovery packet. The UBNT discovery data begins at offset 0x2A.
Bluetooth LE Analysis
In the unconfigured state, the Ubiquiti EV Station Bluetooth LE interface acts as a BLE peripheral device. Using a BLE scanning tool, the Trend Micro researchers observed the following Bluetooth LE endpoints on the EV Station.
The device set its BLE name to QCOM-BTD, which appears to be a default Qualcomm configuration. There is a single BLE service defined. This service exports three characteristics: one characteristic is read-only, one is notify-only, and one allows read, write, and notify operations.
Further analysis of the EV Station file system shows native code libraries responsible for the observed behavior. Additional investigation into these libraries may prove fruitful for contestants.
Additional information about expected BLE functionality can also be understood via analysis of the mobile applications. Trend Micro researchers performed reverse engineering of the UniFi Connect Android app and found code meant to communicate with the device over BLE. However, the discovered BLE characteristics present in the Android application do not match those broadcast by the EV Station. It is possible that after fully setting up the EV Station, the BLE stack may be reconfigured to match the expected BLE endpoints.
Future potential analysis
To mount a successful attempt against the Ubiquiti EV Station at Pwn2Own Automotive in Tokyo, contestants will need to perform additional analysis of the device to determine potential weaknesses. Trend Micro research has analyzed the Samsung KMQX60013A-B419 DRAM / NAND device by extracting it from the EV Station. This combination DRAM and NAND flash device contains the storage that supports the functionality of the EV Station.
As previously mentioned, the Ubiquiti EV Station runs the Android operating system. The EV Station flash contains numerous partitions. Using standard Linux tools, Trend Micro researchers identified several potential partitions. Some of these are real partitions and some appear to be false-positive detections by various tools. Several partitions have been verified and investigated. The following list shows the output produced on a Linux system using the `parted` command listing the partitions on the NAND flash device.
Trend Micro researchers used several methods for identifying partition data and mounting the partitions on the NAND flash device. The following command shows one method for mounting the system_a partition. Once the partition is mounted, a typical Android OS system partition is discovered.
Extracting the data from flash storage is the first step to performing the analysis necessary to discover vulnerabilities that might be present in the Ubiquiti EV Station.
Summary
While these may not be the only attack surfaces available on the Ubiquiti EV Station, they represent the most likely avenues a threat actor may use to exploit the device. We’ve already heard from several researchers who intend to register in the EV Charger category, so we’re excited to see their findings displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.