Free Vending Mode Security Best Practices

Lionel Richard Saposnik

VP of Research at Saiflow

Many EV charging stations support a charging mode called “Free Vend” mode. The free vend charging mode is usually enabled by default as part of the charging station’s default configuration. Even when the charger is managed by a Charging Station Management System (CSMS), the charger could still allow this functionality, exposing the Charge Point Operator (CPO) to an energy theft attack.

Free Vend Mode – What Is It and Why Does It Exist?

EV charging stations are designed to serve various types of customers, including family households, private apartment buildings, private EV fleets, public charging sites, and more. Most EV charging stations available on the market today provide a variety of capabilities to serve multiple use cases, and each use case requires a different set of configurations.

“Free Vend” mode is most suited for family use where identification of drivers is not mandatory. There are cases where Free Vend might be used by the operator when backend services might not be available for a defined period of time due to maintenance or connectivity issues.

Operators should configure the EV charging stations according to their business needs and enforce policies to prevent misuse.

“Threat actors could abuse this Free Vend functionality to perform energy theft on a large scale by abusing the CSMS of public and private EV fleet charging sites.”

How does Free Vend work?

The Free Vend configuration is executed on the charger itself and on the CSMS provider when necessary.

In the simple case where the charger is stand-alone and not managed by a CSMS provider, as in private households for example, if the Free Vend mode is enabled, the EV driver can connect its EV to the charger and the charging session will automatically start. Meaning, no driver identification methods are needed to start the charging session.

When the EV charging station is managed by a CSMS provider, the CSMS provider might choose to enable the Free Vend mode and allow predefined Free Vend ID Tags to be used as a driver identifier in the CSMS user list. In this case:

The driver connects the charger to the EV without identifying itself.
The charger will send the Free Vend ID Tag to the CSMS as part of the start-transaction message. As in the case above, no driver identification methods are required to start the charging session.
The predefined Free Vend ID Tag value is set by FreeVendIdTag or FreeModeRFID keys, which are part of the OCPP configuration.
The Free Vend ID Tag must be listed and approved by the CSMS in order to charge the EV. Otherwise, the charging session will be declined by the CSMS.

Free vend mode enabled flow: 1. EV connected to charger 2. Charger uses Free Vend ID tag: 12345678 3. Request send to CSMS 4. Charging station management approves ID tag 12345678 5. Transaction starts

Free Vend Risks

Free Vend mode’s main risks are energy theft and billing discrepancies, for both the single-charger and the CSMS-based use cases, as in most chargers, Free Vend mode might be enabled by default or left redundant on the CSMS.

Attacker with free vend mode disabled flow: 1. Driver presents RFID to charger 12345678 2. Charger uses RFID tag 12345678 3. Request sent to CSMS 4. Charging station management approves ID tag 12345678 5. Transaction starts

These sites will most likely have Fast DC charging abilities that could lead to large payment and billing discrepancies. Threat actors could abuse this Free Vend functionality to perform energy theft on a large scale by abusing the CSMS of public and private EV fleet charging sites.
Lack of continuous visibility and cyber monitoring of settings and configurations applied to chargers and CSMS providers could increase the likelihood of exploiting the Free Vend mode configuration.
The configuration settings of charging stations and CSMS might change over time due to a field operator’s configuration update, firmware updates, CSMS maintenance, offline support, or other reasons.
Connectivity issues might switch the charging station automatically into a Free Vend mode. Threat actors might intentionally cause the charging station to go offline and execute an energy theft attack. Alternatively, a predefined ID Tag set on the CSMS provider can be abused to cause billing discrepancies.

Free Vend ID Tags Examples

According to an OCPP 1.6 documentation of an exemplary EV charging station, the use of Free Vend mode is defined as follows:

OCPP 1.6 documentation explains the use of Free Vend mode

Tritium’s Veefil RT50 model is using a different OCPP key, defined as FreeModeRFID, and the default ID Tag value is 12345678, but the free vend mode is disabled by default.
According to Vestel’s EVC04 model documentation, Free Vend is enabled by default as can be seen in this link and the quote below:

“The charging station is preconfigured as plug&charge by default. To disable plug&charge mode (VestelFreeModel and activate RFID authorization, it is needed to change FreeModeActive OCPP configuration key to ‘false’…”

We suggest reaching out to the vendor documentation of OCPP configuration and finding if Free Vend mode is supported, if it is enabled by default, if there are any default values, and what is the expected behavior.

Disabling Free Vend functionality

Unless there is a good reason to allow Free Vend, this configuration should be disabled to minimize potential risks:

1. For apartment buildings, private fleets, and public sites (usually CSMS-based)

Set the charging station configuration value to false for the key name FreeVendEnabled or FreeModeActive (or a different key name depending on the vendors’ configuration datasheet).
It’s recommended to change the value of the FreeVendIdTag or FreeModeRFID keys to a random value, which is difficult the brute force, with the maximum length allowed for an ID tag (20 characters), and make sure this ID does not exist in the CSMS. Those actions will prevent the abuse of this ID by attackers in case the Free Vend mode is enabled by accident.
If possible, set the FreeVendIdTag to a value that “can’t” be read by RFID readers. Most of the RFID readers extract the UID bytes presented by the RFID tags as a hex value (0-9 and A-F characters). By setting the Free Vend ID Tag configuration with a value that can’t be presented by an RFID tag, we can reduce the risk of threat actors abusing this functionality.

The keys described above are used by the OCPP protocol and can be changed via the CSMS provider.

2. For private family households or standalone uses (Usually single-chargers)

Follow the vendor’s instructions for operating your charging station settings and disabling Free Vend mode.
Vendors allow local configuration using mobile applications or connecting to a web management interface over the device’s WiFi network.

Free Vending mitigation via the Saiflow platform

SaiFlow’s Posture and Risk Management module provides you with continuous visibility of your EV charging sites and their deployed EVSE assets, making sure there are no exploitable misconfigurations (such as the Free Vend mode), known-vulnerabilities or any other factors that increase the potential attack-surface and expose your EV charging sites and business operations to cyber attacks.

References

Thank you “Plug and Play EV” for the video providing a good example of Free Vend mode usability: Blink EV Charging Outage (and Why Free Vend Mode Works) | Quick Charge #3. (This is one of many other approaches to overcome charging availability situations with service maintenance downtime or other network connectivity issues.)
Thank you be.ENERGISED for a detailed explanation of how the Free Vending mode process works when a charger is managed by a CSMS provider: Demo Mode / Free Charging Mode.