EVlink Parking electric vehicle charging stations made by Schneider Electric are affected by vulnerabilities that can be exploited remotely to take control of the devices.
EVlink Parking charging stations are present in office buildings, hotels, apartment complexes, private parking areas, and municipal parking locations in various countries.
Researchers at Positive Technologies discovered that EVlink Parking devices running firmware version 3.2.0-12_v1 and earlier are impacted by three vulnerabilities. The most serious of them, rated critical and tracked as CVE-2018-7800, is related to the existence of hardcoded credentials that provide high-privileged access to the system’s web interface.
According to Positive Technologies, once an attacker gains access to this interface, they can send various commands, including to stop the charging process, prevent users from charging their vehicles by switching the charging station to reservation mode, and even unlock the charging cable, allowing it to be stolen.
Positive Technologies told SecurityWeek that an attacker can also exploit this vulnerability to change power meter data and multiply it by any value.
The second vulnerability, tracked as CVE-2018-7801 and classified as “high severity,” is an arbitrary command execution weakness that also provides access to the device with the highest privileges.
The last vulnerability, rated “medium severity,” can be exploited to bypass authorization and gain access to the web interface with maximum privileges. Schneider Electric has described this flaw as a SQL injection bug.
Exploitation of the flaws requires network access to the targeted charging station, but Positive Technologies told SecurityWeek that exploitation from the Internet may also be possible in certain cases.
“If the charging station was configured to use centralized control mode (‘supervision’) with the central server accessible from the Internet, or the charging station has a GPRS modem or WiFi card inserted, then it is possible for the attacker to have a remote access,” explained Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies.
Schneider Electric has released a firmware update that should address the vulnerabilities. Positive Technologies said it took the vendor roughly 7 months to release the patches.
“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” Emiliani said. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”
This is not the first time cybersecurity researchers have analyzed electric vehicle charging stations. Roughly one year ago, Kaspersky Lab published a 30-page report describing its analysis of EV charging stations.