Zero Day Initiative | Blog
Follow
Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger
The Tesla Wall Connector is a Level 2 electric vehicle charge station designed for residential use, featuring a minimal user interface and Wi-Fi connectivity for configuration and NFC reader for user authentication. The device uses an ST STM32L431RCT6 ARM MCU with 256KB of Flash memory and an AzureWave AW-CU300 WLAN module for communication. The firmware is partitioned into two parts: the bootloader and the application, with the latter starting at offset 0x5000. The MCU does not handle internet-facing communications, which are handled by the communications module. The device provides its own Wi-Fi access point for configuration and management, and it can be configured to connect to an internet-facing Wi-Fi network. A network scan revealed TCP ports 80 and 34578, and UDP ports 67 and 5353 open on the device. The device communicates with servers hermes-prd.sn.tesla.services, wc-maestro-prd.sn.tesla.services, and s3-us-west-2.amazonaws.com, using TLS for the first two and plain HTTP for the third. The software update bundle was found to be encrypted, and the encryption algorithm or key was not identified. The device's attack surfaces include the Wi-Fi interface, the NFC reader, and the network traffic.