Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.
Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.
The vendor has credited researcher Tony Nasr for finding a total of seven vulnerabilities in these charging stations, including one critical and five high-severity issues.
The security holes include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs that can be exploited to carry out actions on behalf of a legitimate user, and a weakness that can be leveraged to gain access to a charging station’s web interface via brute-force attacks. The most serious issue — based on its CVSS score of 9.3 — is a server-side request forgery (SSRF) vulnerability.
Schneider warned that failure to take action could lead to “tampering and compromise of the charging station’s settings and accounts.”
“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system and the modification and disclosure of the charging station’s configuration,” the industrial giant wrote in its advisory.
The company noted that exploitation of the vulnerabilities requires physical access to the system’s internal communication port, but admitted that attacks can also be launched from the local network and even the internet if the charging station is accessible from the web.
“The exploitation of Internet-connected charging stations does not require having access to the LAN, therefore making the attack vector very powerful and effective,” Nasr told SecurityWeek. “In this case, the adversary would perform Internet-wide scans to search for viable EVCS [electric vehicle charging stations] before attempting to exploit their vulnerabilities. However, it should be noted that connectivity of the EVCS does not present any difference in terms of the actual exploitation process (i.e., triggering the vulnerabilities).”
“For instance, if the EVCS is not accessible via the Internet, then the adversary is assumed to have access to the LAN, which is a relatively trivial task (e.g., cracking Wi-Fi network passwords, networks with default configurations, etc), where the EVCS is connected to in order to conduct local, yet remote, exploitation. Following these two methods, the adversary can take control over the underlying EVCS, by launching various cyber attacks that leverage the discussed vulnerabilities,” he added.
The researcher pointed out that exploitation of some of the vulnerabilities, such as the SSRF bug, involves sending specially crafted requests and does not require any user interaction.
“Such an attack allows the adversary to leverage the compromised EVCS as a network proxy, practically building a botnet and conducting distributed cyber attacks, such as a distributed denial of service (DDoS), against other devices,” Nasr explained.
Exploitation of the XSS and CSRF vulnerabilities, on the other hand, does require some user interaction (e.g. clicking on a link).
“While the most devastating attack vector is a remote cyber attack that targets Internet-facing EVlink, adversaries can still pose a great danger to the ecosystem of these stations by targeting their management systems across LAN since fundamentally EVlink setup requires network connectivity for more efficient remote monitoring and management,” the researcher said.
Based on internet searches conducted with services such as Shodan and Censys, Nasr says there are thousands of internet-exposed systems.
“It should be noted that this amount greatly increases when discussing EVlink charging stations that are not currently Internet-facing but yet are network-configured and can still be attacked locally by exploiting the aforementioned vulnerabilities through specific vectors on LAN for instance,” the researcher noted.
Nasr said these vulnerabilities were found as part of a larger study into electric vehicle charging station management systems. The full results of the study will be made available next year — the researcher does not want to disclose at this point the names of other vendors and products targeted in the study.
As the popularity of EVs is increasing, so is the interest of cybersecurity researchers in charging stations. The security of these systems has also been analyzed this year by Pen Test Partners and Trend Micro.