A critical vulnerability in the SteVe (v3.7.1) Open Charge Point Central System allows unauthenticated remote attackers to establish a WebSocket connection and issue arbitrary OCPP (Open Charge Point Protocol) requests. This flaw permits attackers to execute commands without authentication, leading to unauthorized access and manipulation of EV charging operations.
-
GitHub Issue #1546 ( steve-community/steve#1546 )
-
Vulnerable Code (OcppWebSocketHandshakeHandler.java) ( https://github.com/steve-community/steve/blob/master/src/main/java/de/rwth/idsg/steve/ocpp/ws/OcppWebSocketHandshakeHandler.java )
- Product: SteVe
- Vendor: steve-community
- Version: 3.7.1
- Component:
OcppWebSocketHandshakeHandler.java
- Type: Incorrect Access Control (CWE-284)
- Attack Type: Remote
- Authentication Required: No
- Privilege Escalation: Yes
An attacker can interact with the WebSocket endpoint without authentication by knowing or guessing a valid Connector ID.
-
Identify Connector ID
The attacker determines a validCONNECTOR_IDthrough guessing, leakage, or reconnaissance. -
Establish WebSocket Connection
wss://<STEVE_HOST>:<PORT>/steve/websocket/CentralSystemService/{CONNECTOR_ID}
3.Send Arbitrary OCPP Command
Example payload to initiate a transaction
2,"1","StartTransaction", { "connectorId": 1234225, "idTag": "test", "meterStart": 20, "timestamp": "2023-09-03T12:34:56Z" }]
4.Effect
The request is accepted and reflected in the SteVe dashboard as if it were legitimate, bypassing the expected OCPP security flow.
- Unauthorized remote control over charging stations
- Lack of authentication allows for impersonation and abuse
- Operational disruption and data integrity risks