Electric Vehicle Charging Station Vulnerabilities

By Josh Balentine on January 18, 2019

a picture of an electronic car charging station
Source: evchargesolution.com

This week several vulnerabilities were reported in EVlink charging stations manufactured by Schneider Electric, that service electric vehicles. EVlink provides electric vehicle charging products for both home and commercial use, placing these vulnerabilities in the subset category of equipment manufacturing of the Manufacturing Sector of the Critical Infrastructure Sectors designated by the Presidential Policy Directive 21 . The three vulnerabilities (CVE ID: CVE-2018-7800, CVE-2018-7801, and CVE-2018-7802) can grant a malicious actor elevated privileges to the charging interface allowing them to have the highest control over the charging station. The most critically rated vulnerability CVE-2018-7800 can allow an individual to gain access to the charging interface, and execute various commands that allow actions ranging from unlocking the charging cable resulting in theft of the device to altering the charging process of a consumer. The two other vulnerabilities CVE-2018-7801 and CVE-2018-7802 grant similar privileges through different methods. CVE-2018-7801 grants elevated privileges when a remote code execution is performed, and CVE-2018-7802 is a SQL injection vulnerability allowing elevated privileges to the web interface of the product.     

Vulnerability Description

National Vulnerability Database:

CVE-2018-7800 – Hard Coded Credentials

CVE-2018-7801 – Remote Code Execution

CVE-2018-7802 – SQL Injection

Recommended Actions

Schneider Electric has released firmware updates to remedy the discovered vulnerabilities, and have released other general security recommendations to reduce the risk to their users. Schneider’s Electric Security Notification document provides the link and instructions for the firmware updates and other recommendations. General recommendations include configuring firewalls to block remote/external access, minimizing network exposure for all devices, and utilizing Virtual Private Networks (VPNs) when remote access is required by authorized users. 

Sources

Kovacs, E. (2019). Security Week. Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks. Retrieved from <a”https://www.securityweek.com/schneider-electric-vehicle-charging-stations-exposed-hacker-attacks”>https://www.securityweek.com

Related Posts