Tesla Wall Connector Hacked Through Charging Port in Just 18 Minutes
Security researchers from Synacktiv successfully hacked the Tesla Wall Connector through its charging port in just 18 minutes, exposing critical vulnerabilities in the device’s firmware and communication protocols.
The Tesla Wall Connector and Its Architecture
The Tesla Wall Connector is an AC electric vehicle charger designed for residential, public, and semi-public installations.
Supporting both single-phase and three-phase power, it delivers up to 22 kW depending on the configuration.
The device connects to the owner’s Wi-Fi network for telemetry and remote control via the Tesla mobile application.
At its core, the Wall Connector Gen 3 consists of two main components: a connectivity card (AW-CU300) powered by a Marvell 88MW300 SoC (ARM Cortex-M4) for Wi-Fi and application logic, and an STM32 microcontroller for managing sensors, power metering, and relay control.
Communication between these chips occurs over UART, using Protocol Buffers (Protobuf) for serialization.
Key Technical Elements in EV Charging
The charging process relies on two critical signals: the Proximity Pilot (PP) and the Control Pilot (CP), both referenced to protective earth (ground).
The PP detects vehicle connection and indicates the cable’s current-carrying capacity using a voltage divider circuit.
The CP manages the charging process via a 1 kHz Pulse Width Modulation (PWM) signal, which communicates the charger’s maximum current and coordinates charging states.
For advanced Vehicle-to-Grid (V2G) features, the CP line can carry Power Line Communication (PLC) to exchange IP packets between the vehicle and the charger, but the Tesla Wall Connector uses a proprietary protocol instead of standardized PLC.
Discovery of the Vulnerability
While analyzing Tesla’s update mechanisms, Synacktiv discovered that the Wall Connector could be updated through the charging cable—an undocumented feature.
This led to an investigation into the communication protocol between Tesla vehicles and the Wall Connector.
By attaching an oscilloscope to the PP and CP lines, the team identified that, after initial signaling, the CP line switched to a non-standard protocol: Single-Wire CAN (SWCAN), a variant of the Controller Area Network protocol.
Reverse Engineering and Exploitation
To exploit this, the researchers obtained Wall Connector firmware from Tesla’s website, the Tesla mobile app, and vehicle firmware updates.
The firmware uses a custom binary format, with the main application code running on the AW-CU300, which also manages updates to the STM32 microcontroller.
Notably, the AW-CU300 implements a UDS (Unified Diagnostic Services) stack over CAN, supporting standard firmware upgrade commands such as Request Download (0x34), Transfer Data (0x36), and Request Transfer Exit (0x37) via ISO-TP.
The attack involved downgrading the Wall Connector’s firmware to an older version (0.8.58) with exposed debug features, including a TCP debug shell accessible over Wi-Fi and retrievable setup credentials via UDS commands.
The researchers built a custom hardware simulator using a Raspberry Pi and a modified USB-CAN adapter with an NCV7356 SWCAN transceiver to emulate the car’s behavior and trigger SWCAN communication with the charger.
Once the device was running the old firmware, the team extracted the Wi-Fi SSID and PSK using UDS commands, connected to the setup Wi-Fi AP, and accessed the debug shell.
To achieve code execution, they exploited a global buffer overflow in the shell’s command parsing logic. By overflowing the argument buffer, they overwrote entries in the command handler table, redirecting execution to attacker-controlled memory.
The lack of memory protection (all regions marked as RWX) made arbitrary code execution straightforward.
This hack not only demonstrates the risks of undocumented update mechanisms and weak firmware downgrade protections but also highlights the importance of robust security in EV infrastructure.
The researchers’ ability to gain full control over the Wall Connector through the charging port—without physical tampering—underscores the need for manufacturers to address vulnerabilities in both hardware and software layers.