Security flaws could allow an attacker to receive free vehicle charges, or lock up the charging station completely

Schneider Electric fixes critical vulnerabilities in EVlink electric vehicle charging stations

Schneider Electric has patched security vulnerabilities in its EVlink range of electric vehicle charging stations that could lead to denial-of-service (DoS) attacks.

The energy management and automation giant addressed 13 flaws in total, including three critical vulnerabilities plus eight designated as ‘high’ severity and two as ‘medium’.

EVlink charging points are installed at private properties, public car parks, and for on-street charging. Three EVlink product ranges are affected: City, Parking, and Smart Wallbox.

Exploitation and impact

Affected EVlink owners who fail to apply the firmware update “may risk potential unauthorized access to the charging station’s web server, which could lead to tampering and [compromise] of the charging station’s settings and accounts,” warns Schneider Electric in a security alert.

“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system, and the modification and disclosure of the charging station’s configuration.”

The vulnerabilities can be exploited remotely if stations are exposed directly to the internet – a configuration Schneider Electric cautions against.

Read more of the latest hardware security news and analysis

However, SEC Consult security researcher Stefan Viehböck, who was involved in finding two of the vulnerabilities, told The Daily Swig that “some affected chargers [are] directly accessible from the internet based on Shodan/Censys searches”.

Even within a “properly segmented internal network”, he added, they could be vulnerable to phishing and other attacks “for the initial compromise and then on lateral movement etc to get access to the charging station network.

“Commercial charging infrastructure typically consists of hundreds of chargers, so if an attacker manages to get network access to them, they can take over all of them.”

Schneider Electric says the flaws can also “be exploited by obtaining physical access either to the charging station’s internal communication port, which requires disassembling the charging station enclosure, or, in the case of a connected station, to the network of the charging station’s supervision system”.

Hard-coded hazard

The trio of critical flaws – all assigned a CVSS score of 9.4 – can all enable attackers to gain administrative privileges via the charging station web server.

They include a bypass of the authentication mechanism in the EVlink admin web interface with undocumented and hard-coded HTTP cookie values (CVE-2021-22707), another hard-coded credential issue (CVE-2021-22730), and a hard-coded password flaw (CVE-2021-22729).

One of the ‘high’ severity flaws, found in the verification of a cryptographic signature (CVSS 7.2) and potentially leading to remote code execution (RCE), may have been inadvertently created by remediation of a previous code injection bug in 2018, according to SEC Consult.

Firmware, recommendations

The flaws are present in firmware R7, version V3.3.0.15, and were patched in firmware R8, version V3.4.0.1, which was issued on Tuesday (July 13).

Austria-based SEC Consult has recommended that Schneider Electric “perform a thorough security review” of its EVlink product line “to identify and resolve potential further security issues”.

As electric vehicle chargers continue to proliferate, Viehböck expects to see further serious vulnerabilities emerge.

The upshot, he says, could be the manipulation of charging records or settings to overcharge or undercharge vehicles, the theft and misuse of charging credentials, service disruption to charging networks, and the ‘bricking’ (locking up the electronics) of cars during charging.

Attackers could even “find creative ways to impact the electrical grid”, warns Viehböck.

Schneider Electric declined to comment further in response to queries from The Daily Swig.

YOU MIGHT ALSO LIKE Research exposes vulnerabilities in IP camera firmware used by multiple vendors