Schneider Electric has patched security vulnerabilities in its EVlink range of electric vehicle charging stations that could lead to denial-of-service (DoS) attacks.
The energy management and automation giant addressed 13 flaws in total, including three critical vulnerabilities plus eight designated as ‘high’ severity and two as ‘medium’.
EVlink charging points are installed at private properties, public car parks, and for on-street charging. Three EVlink product ranges are affected: City, Parking, and Smart Wallbox.
Exploitation and impact
Affected EVlink owners who fail to apply the firmware update “may risk potential unauthorized access to the charging station’s web server, which could lead to tampering and [compromise] of the charging station’s settings and accounts,” warns Schneider Electric in a security alert.
“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system, and the modification and disclosure of the charging station’s configuration.”
The vulnerabilities can be exploited remotely if stations are exposed directly to the internet – a configuration Schneider Electric cautions against.
However, SEC Consult security researcher Stefan Viehböck, who was involved in finding two of the vulnerabilities, told The Daily Swig that “some affected chargers [are] directly accessible from the internet based on Shodan/Censys searches”.
Even within a “properly segmented internal network”, he added, they could be vulnerable to phishing and other attacks “for the initial compromise and then on lateral movement etc to get access to the charging station network.
“Commercial charging infrastructure typically consists of hundreds of chargers, so if an attacker manages to get network access to them, they can take over all of them.”
Schneider Electric says the flaws can also “be exploited by obtaining physical access either to the charging station’s internal communication port, which requires disassembling the charging station enclosure, or, in the case of a connected station, to the network of the charging station’s supervision system”.
Hard-coded hazard
The trio of critical flaws – all assigned a CVSS score of 9.4 – can all enable attackers to gain administrative privileges via the charging station web server.
They include a bypass of the authentication mechanism in the EVlink admin web interface with undocumented and hard-coded HTTP cookie values (CVE-2021-22707), another hard-coded credential issue (CVE-2021-22730), and a hard-coded password flaw (CVE-2021-22729).
One of the ‘high’ severity flaws, found in the verification of a cryptographic signature (CVSS 7.2) and potentially leading to remote code execution (RCE), may have been inadvertently created by remediation of a previous code injection bug in 2018, according to SEC Consult.
Firmware recommendations
The flaws are present in firmware R7, version V3.3.0.15, and were patched in firmware R8, version V3.4.0.1, which was issued on Tuesday (July 13).
Austria-based SEC Consult has recommended that Schneider Electric “perform a thorough security review” of its EVlink product line “to identify and resolve potential further security issues”.
As electric vehicle chargers continue to proliferate, Viehböck expects to see further serious vulnerabilities emerge.
The upshot, he says, could be the manipulation of charging records or settings to overcharge or undercharge vehicles, the theft and misuse of charging credentials, service disruption to charging networks, and the ‘bricking’ (locking up the electronics) of cars during charging.
Attackers could even “find creative ways to impact the electrical grid”, warns Viehböck.
Schneider Electric declined to comment further in response to queries from The Daily Swig.
About Schneider Electric
Schneider Electric is leading the Digital Transformation of Energy Management and Automation in Homes, Buildings, Data Centers, Infrastructure and Industries. With global presence in over 100 countries, Schneider is the undisputable leader in Power Management – Medium Voltage, Low Voltage and Secure Power, and in Automation Systems. We provide integrated efficiency solutions, combining energy, automation and software. In our global Ecosystem, we collaborate with the largest Partner, Integrator and Developer Community on our Open Platform to deliver real-time control and operational efficiency. We believe that great people and partners make Schneider a great company and that our commitment to Innovation, Diversity and Sustainability ensures that Life Is On everywhere, for everyone and at every moment.
Media Contact
Company Name: ABC Private Limited
Contact Person: Media Relations
Email: Send Email
Phone: 8745857610
Country: India
Website: https://www.se.com/in/en/