v5.33
operator
manufacturer
Last updated on
General
1. Reporting vulnerabilities
To report a security vulnerability, use the contact info provided at:
2. Helpful resources
- (Germany) BSI homepage
- (Germany) BSI: Empfehlung für IT-Hersteller zur Handhabung von Schwachstellen
- (USA) NSA: Cybersecurity Advisories & Guidance
3. Password management
One of the RFID cards supplied can be specified as the master card when changing the password under System > Password.
This card can be used to reset the charging station to factory settings if access is no longer possible.
Label and store this card securely to prevent unauthorized use.
4. Security-related settings to check
These are important settings and features you should review on every Charge Controller before going live. They help protect the device, your network, and your users.
Category⬍ | Setting⬍ | Recommended or Default⬍ | Why it matters⬍ |
|---|---|---|---|
| # Network | WAN Router | Off | Routing to a mobile network may expose private traffic. |
SMTP connection security | Use TLS or STARTTLS | Unencrypted email can expose credentials. | |
| # Backend | OCPP Backend URL | Should start with wss:// | Plain WebSocket ( ws://) is insecure and may leak data. |
OCPP cipher strictness | Only secure ciphers (TLS1.2+) | Prevents use of outdated encryption algorithms. | |
Basic Auth password | Avoid unless over wss:// | Never use basic auth over an unencrypted connection. | |
SSL strictness (as client) | Full validation | Helps prevent impersonation of the backend. | |
| # Authorization | Free Charging | Off | Anyone could start charging without control. |
Secure RFID enforcement | On | Regular RFID cards can be copied. Secure types are better. | |
Autocharge | Off | MAC-based charging can be spoofed. | |
ISO 15118 cipher strictness | Standard | Ensures only safe TLS ciphers are used. | |
| # Load Management | Modbus TCP Server | Off | Modbus is not encrypted — use only in protected networks. |
SEMP interface | Off | Also insecure — avoid unless absolutely needed. | |
DLM Master/Slave (hierarchical) | Off | Should be used only in trusted network environments. | |
| # | ASKI over OCPP-S | Off | OCPP-S is outdated and insecure. |
| # System | Log level | INFO or WARN | Logging too much (e.g. DEBUG) might leak sensitive info. |
HTTPS for web interface | On | Using HTTP might expose passwords and settings. | |
Certificate setup | Proper CA installed | Devices need trusted certificates to avoid impersonation risks. | |
USB script execution | Off | Arbitrary scripts could damage or hijack the device. | |
| # Config UI | Web Interface | 2.0 only | Web UI 1.0 uses weak authentication and is being phased out. |
| # Manufacturer | OCPP meter IP | Should not use Modbus TCP | Modbus is easy to spoof; use authenticated meter protocols. |
SSH access | Off by default | Reduces risk of attacks via default manufacturer credentials. | |
Tamper detection sensor | On | Helps detect physical manipulation attempts. | |
Signed software updates | On | Prevents untrusted software from being installed. | |
Manufacturer password | Unique per device | Shared or guessable passwords are a huge security risk. | |
Password change enforcement | On | Prompts users to replace insecure default credentials. | |
Strong password enforcement | On | Prevents easy-to-guess passwords (e.g. "1234" or "admin"). | |
Enable diagnostic reports | Off | Only enable if needed — may contain private data. |
5. Intentionally open ports
Knowing which ports are open and for what purpose and for which protocols can help in several ways:
- It helps to understand the communication between the Charge Controller and other devices
- It can be used to configure firewalls and additional security measures
info
This info applies to firmware version >= 5.x
Purpose | Ports | Info |
|---|---|---|
| # HTTP communication | 80, 81, 82, 443, 444, 445 | To enable universal access to the web server of an OCPP Master Charge Controller via the OCPP Slave Charge Controller, port 81 is accessible and will forward to port 80 on the Master Charge Controller from a Slave Charge Controller or to port 80 on the Master Charge Controller itself. To enable universal access to the web server of an OCPP Slave Charge Controller via the OCPP Master Charge Controller (for instance, via through GSM), port 82 is accessible and will forward to port 80 on the Slave Charge Controller from a Master Charge Controller or to port 80 on itself on the Slave Charge Controller. Starting with firmware v5.29.x the local web server supports HTTPS. If enabled, the ports 443, 444 and 445 are occupied following the same pattern |
| # SSH communication | 22, 23, 24 | To enable universal access to the SSH server of an OCPP Master Charge Controller via the OCPP Slave Charge Controller, port 23 is accessible and will forward to port 22 on the Master Charge Controller from a Slave Charge Controller or to port 22 on the Master Charge Controller itself. To enable universal access to the web server of an OCPP Slave Charge Controller via the OCPP Master Charge Controller (for instance, through GSM), port 24 is accessible and will forward to port 22 on the Slave Charge Controller from a Master Charge Controller or to port 22 on the Slave Charge Controller itself |
| # WAN forwarding | 53 | |
| # OCPP-S | 8090 (configurable) | The incoming connections on this port can optionally be protected by TLS or by only allowing a configurable whitelist of IP addresses to connect. Without such protection OCPP-S can be deemed non-secured and the network needs to provide the necessary security from malicious outside connections. OCPP-S has been discountinued since v5.32 and above. |
| # OCPP and DLM Master | 1600, 1601 | To allow for OCPP or DLM communication, the Charge Controller opens the TCP ports 1600 and 1601 and accepts TLS encrypted incoming connections from Slave Charge Controllers |
| # Modbus TCP Slave | 502 (configurable) | The Charge Controller allows to configure Modbus TCP as a protocol to interact with energy management systems. The port for this purpose is 502 by default. It is configurable. Modbus TCP is generally not TLS encrypted and also not protected via a password. Because of this security needs to be achieved by securing the network itself |
| # SEMP and UPnP broadcasting | 8888 | The Charge Controller allows the SMA Energy management protocol (SEMP) to be configured for use with SMA energy managers. The SEMP protocol is mainly based on HTTP communication via port 8888. For device detection UpnP is used which is based on UDP broadcasts. Like in modbus there is no security via TLS or password protection and hence the network needs to be secured |
| # EEBUS and MDNS | 4711 | EEBUS is a communication protocol for energy managers that is supported by the Charge Controller. TCP connections are established by both the Charge Controller and the energy manager. For the latter the Charge Controller listens on Port 4711. Device discovery is done through MDNS broadcasting. EEBUS makes deliberate use of TLS and both client and server certificates, thus making it significantly more secure than Modbus TCP and SEMP for energy management purposes |
| # ISO 15118 | 15118, 15119, 15120 | Some variants of the Charge Controller support communication with the vehicle through ISO 15118. The communication is established by the vehicle while the Charge Controller acts as a limited TCP server. Limited: Only PLC and only IPv6 as specified by ISO 15118. The port 15118 is used by the car for sending and by the Charge Controller for receiving broadcasts for device discovery. Afterwards the Charge Controller communicates through the TCP ports 15119 and 15120 without and with TLS encryption depending on the configuration and available certificates |