Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

EVlink Parking electric vehicle charging stations made by Schneider Electric are affected by vulnerabilities that can be exploited remotely to take control of the devices.

EVlink Parking charging stations are present in office buildings, hotels, apartment complexes, private parking areas, and municipal parking locations in various countries.

EVlink Parking electric vehicle charging stations made by Schneider Electric are affected by vulnerabilities that can be exploited remotely to take control of the devices.

EVlink Parking charging stations are present in office buildings, hotels, apartment complexes, private parking areas, and municipal parking locations in various countries.

Researchers at Positive Technologies discovered that EVlink Parking devices running firmware version 3.2.0-12_v1 and earlier are impacted by three vulnerabilities. The most serious of them, rated critical and tracked as CVE-2018-7800, is related to the existence of hardcoded credentials that provide high-privileged access to the system’s web interface.

EVlink Parking charging station vulnerabilitiesAccording to Positive Technologies, once an attacker gains access to this interface, they can send various commands, including to stop the charging process, prevent users from charging their vehicles by switching the charging station to reservation mode, and even unlock the charging cable, allowing it to be stolen.

Positive Technologies told SecurityWeek that an attacker can also exploit this vulnerability to change power meter data and multiply it by any value.

Learn More About Flaws in Energy Systems at SecurityWeek’s ICS Cyber Security Conference

The second vulnerability, tracked as CVE-2018-7801 and classified as “high severity,” is an arbitrary command execution weakness that also provides access to the device with the highest privileges.

The last vulnerability, rated “medium severity,” can be exploited to bypass authorization and gain access to the web interface with maximum privileges. Schneider Electric has described this flaw as a SQL injection bug.

Exploitation of the flaws requires network access to the targeted charging station, but Positive Technologies told SecurityWeek that exploitation from the Internet may also be possible in certain cases.

Advertisement. Scroll to continue reading.

“If the charging station was configured to use centralized control mode (‘supervision’) with the central server accessible from the Internet, or the charging station has a GPRS modem or WiFi card inserted, then it is possible for the attacker to have a remote access,” explained Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies.

Schneider Electric has released a firmware update that should address the vulnerabilities. Positive Technologies said it took the vendor roughly 7 months to release the patches.

“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” Emiliani said. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”

This is not the first time cybersecurity researchers have analyzed electric vehicle charging stations. Roughly one year ago, Kaspersky Lab published a 30-page report describing its analysis of EV charging stations.

Related: Malware Found on USB Drives Shipped With Schneider Solar Products

Related: Schneider Electric Patches 16 Flaws in Building Automation Software

Related: Schneider Electric Development Tools Affected by Critical Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.