General

1. Reporting vulnerabilities

To report a security vulnerability, use the contact info provided at

• (EN) https://www.bender.de/en/cert
• (DE) https://www.bender.de/cert

2. Helpful resources

Following are helpful resources:

• (Germany) BSI homepage
• (Germany) BSI: Empfehlung für IT-Hersteller zur Handhabung von Schwachstellen
• (USA) NSA: Cybersecurity Advisories & Guidance

3. Intentionally open ports

Knowing which ports are open and for what purpose and for which protocols can help in several ways:

• It helps to understand the communication between the Charge Controller and other devices
• It can be used to configure firewalls and additional security measures

info

This info applies to firmware version >= 5.x

Purpose	Port(s)	Info
HTTP communication	80, 81, 82, 443, 444, 445	To enable universal access to the web server of an OCPP Master Charge Controller via the OCPP Slave Charge Controller, port 81 is accessible and will forward to port 80 on the Master Charge Controller from a Slave Charge Controller or to port 80 on the Master Charge Controller itself. To enable universal access to the web server of an OCPP Slave Charge Controller via the OCPP Master Charge Controller (for instance, via through GSM), port 82 is accessible and will forward to port 80 on the Slave Charge Controller from a Master Charge Controller or to port 80 on itself on the Slave Charge Controller. Starting with firmware v5.29.x the local web server supports HTTPS. If enabled, the ports 443, 444 and 445 are occupied following the same pattern
SSH communication	22, 23, 24	To enable universal access to the SSH server of an OCPP Master Charge Controller via the OCPP Slave Charge Controller, port 23 is accessible and will forward to port 22 on the Master Charge Controller from a Slave Charge Controller or to port 22 on the Master Charge Controller itself. To enable universal access to the web server of an OCPP Slave Charge Controller via the OCPP Master Charge Controller (for instance, through GSM), port 24 is accessible and will forward to port 22 on the Slave Charge Controller from a Master Charge Controller or to port 22 on the Slave Charge Controller itself
WAN forwarding	53
OCPP-S	8090 (configurable)	The incoming connections on this port can optionally be protected by TLS or by only allowing a configurable whitelist of IP addresses to connect. Without such protection OCPP-S can be deemed non-secured and the network needs to provide the necessary security from malicious outside connections
OCPP and DLM Master	1600, 1601	To allow for OCPP or DLM communication, the Charge Controller opens the TCP ports 1600 and 1601 and accepts TLS encrypted incoming connections from Slave Charge Controllers
Modbus TCP Slave	502 (configurable)	The Charge Controller allows to configure Modbus TCP as a protocol to interact with energy management systems. The port for this purpose is 502 by default. It is configurable. Modbus TCP is generally not TLS encrypted and also not protected via a password. Because of this security needs to be achieved by securing the network itself
SEMP and UPnP broadcasting	8888	The Charge Controller allows the SMA Energy management protocol (SEMP) to be configured for use with SMA energy managers. The SEMP protocol is mainly based on HTTP communication via port 8888. For device detection UpnP is used which is based on UDP broadcasts. Like in modbus there is no security via TLS or password protection and hence the network needs to be secured
EEBUS and MDNS	4711	EEBUS is a communication protocol for energy managers that is supported by the Charge Controller. TCP connections are established by both the Charge Controller and the energy manager. For the latter the Charge Controller listens on Port 4711. Device discovery is done through MDNS broadcasting. EEBUS makes deliberate use of TLS and both client and server certificates, thus making it significantly more secure than Modbus TCP and SEMP for energy management purposes
ISO 15118	15118, 15119, 151120	Some variants of the Charge Controller support communication with the vehicle through ISO 15118. The communication is established by the vehicle while the Charge Controller acts as a limited TCP server. Limited: Only PLC and only IPv6 as specified by ISO 15118. The port 15118 is used by the car for sending and by the Charge Controller for receiving broadcasts for device discovery. Afterwards the Charge Controller communicates through the TCP ports 15119 and 15120 without and with TLS encryption depending on the configuration and available certificates