EmuOCPP: Effective and Scalable OCPP Security and Privacy Testing

The Open Charge Point Protocol (OCPP) is the de facto standard for communication between electric vehicle charging stations (CS) and charging station management systems (CSMS). However, its security and privacy have been only partially explored, mainly due to the lack of an adequate testing framework. To this end, we introduce EmuOCPP, a new OCPP security and privacy testing framework. The framework is based on container emulation to reproduce real-world OCPP networks with high fidelity and low cost. We discuss our implementation of EmuOCPP, using open-source software (IPMininet) and low-cost hardware.

Using EmuOCPP, we uncover five attacks on OCPP 1.6, 2.0, and 2.0.1. These include man-in-the-middle attacks exploiting OCPP security profile upgrades and downgrades. And CS impersonation attacks leveraging undefined behaviors in the CS boot notification process. We successfully evaluate the attacks across nine targets, including open- and closed-source OCPP implementations, a real CS, and a production network operated by a major company. We discuss the attacks' root causes, including new OCPP design and implementation vulnerabilities. We present effective mitigations to address the discovered vulnerabilities and attacks. We responsibly disclosed our findings with the OCPP consortium and will open source EmuOCPP once the disclosure is completed.