Schneider Electric recently patched three security flaws in a popular type of electric-car charger that it manufactures, vulnerability assessment company Positive Technologies said Monday.
The most serious of the vulnerabilities in the EVlink charging stations involved hardcoded credentials, meaning the units were shipped with default passwords or security keys embedded in their firmware. If hackers discover such credentials in any type of device, they can use them to gain wide access to them.
Schneider and Positive Technologies labeled that flaw as “critical,” saying an intruder could halt the charging process and switch it into “reservation mode,” making a station unusable to anyone until the mode is turned off. Hackers could even control the socket locking hatch, letting them unlock and “walk away with the cable,” Positive Technologies said.
A second vulnerability, rated as “high-risk,” allows for an attacker to execute arbitrary commands on the station and gain maximum privileges. And another vulnerability labeled as “medium” risk would let an attacker bypass authorization and access a station’s web interface with full privileges. Schneider Electric said this would be possible using a tactic known as an SQL injection.
Beyond its car charging products, Schneider is one of the giants in the industrial control systems market, and its security activities tend to draw attention, given the importance of that technology at large plants and in critical infrastructure. In the fall of 2018, the company caught malware on “non-essential” USB drives that it shipped to customers. Earlier in the year, it released a critical patch for software used at manufacturing and energy facilities.
The EVlink stations are often found in parking lots at offices, shopping centers, hotels and other public spaces, and can be used with a wide variety of electric cars.
“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” said Paolo Emiliani, a Positive Technologies research analyst, in the company’s report. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”
Schneider credited Positive Technologies researchers Vladimir Kononovich and Vyacheslav Moskvin in its own disclosure of the vulnerabilities.
The EVlink bugs affect firmware versions 3.2.0-12_v1 or earlier. While Positive Technologies publicly disclosed the bugs on Monday, a newer firmware version has been available on Schneider Electric’s website since October 2018.