A number of new vulnerabilities have been patched by Schmidt Electric, exposing its EVlink electric vehicle charging stations to remote hacking attacks.
In an announcement on December 14, Schneider encouraged its customers to apply patches immediately. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.
According to the vendor, researcher Tony Nasr discovered seven vulnerabilities in these charging stations, one of which is critical and five of which are high-severity.
Cross-site request forgery (CSRF) and cross-site scripting (XSS) problems that can be used to carry out operations on behalf of a valid user, as well as a vulnerability that can be used to brute-force access to a charging station’s web interface, are among the security flaws.
A serverside request forgery (SSRF) vulnerability is the most significant concern, with a CVSS score of 9.3.
Failure to act could result in “tampering and compromise of the charging station’s settings and accounts,” according to Schneider.
The company stated that exploiting the flaws needs physical access to the system’s internal communication port, but that attacks can also be launched from the local network or the internet if the charging station is web-accessible.
“Because the exploitation of Internet-connected charging stations does not require access to the LAN, it is a very potent and effective attack vector,” Nasr told SecurityWeek.
“In this scenario, the attacker would conduct Internet-wide scans to look for viable EVCS [electric vehicle charging stations] before attempting to exploit their flaws.”
It should be noted, however, that EVCS connectivity makes no difference in terms of the actual exploitation process (i.e., triggering the vulnerabilities).”
“Such manipulation could result in unauthorised use of the charging station, service interruptions, failure to communicate charging data records to the supervisory system, and the alteration and disclosure of the charging station’s configuration,” the industrial behemoth warned in its advisory.
“For example, if the EVCS is not available over the Internet, the adversary is presumed to have access to the LAN, which is a relatively simple operation (e.g., cracking Wi-Fi network passwords, networks with default configurations, etc.) to execute local, yet remote, exploitation.”
The attacker can get control of the underlying EVCS using these two approaches by executing various cyber attacks that exploit the stated vulnerabilities,” he noted.
Some of the vulnerabilities, such as the SSRF flaw, can be exploited by sending carefully constructed queries with no user input, according to the researcher.
“Such an approach allows the adversary to use the compromised EVCS as a network proxy, effectively creating a botnet and conducting distributed cyber attacks against other devices, such as a distributed denial of service (DDoS),” Nasr added.
The XSS and CSRF vulnerabilities, on the other hand, do necessitate some user activity (e.g. clicking on a link).
“While the most devastating attack vector is a remote cyber attack that targets Internet-facing EVlink,” the researcher said, “adversaries can still pose a significant threat to the ecosystem of these stations by targeting their management systems across LAN,” because “EVlink setup fundamentally requires network connectivity for more efficient remote monitoring and management.”
Nasr claims that there are thousands of internetexposed systems based on internet searches using services like Shodan and Censys.
“It should be highlighted that when addressing EVlink charging stations that are not now Internet-facing but are network-configured and can still be targeted locally by exploiting the aforementioned vulnerabilities through particular vectors on LAN for example,” the researcher said.
These flaws were discovered as part of a bigger investigation into electric vehicle charging station management systems, according to Nasr. The study’s full findings will be released next year; the researcher does not wish to reveal the identities of other suppliers or goods targeted in the study at this time.
As the popularity of electric vehicles grows, so does cybersecurity researchers’ interest in charging stations. Pen Test Partners and Trend Micro have also looked into the security of these systems this year.