A vulnerability in Schneider Electric’s EVLink Parking devices – a line of electric car charging stations - could have enabled hackers to gain access to the system. Schneider Electric said that the vulnerability is tied to a hard-coded credential bug that exists within the EVLink Parking device.
The energy management and automation giant said that the affected devices are EVLink Parking devices (v3.2.0-12_v1 and earlier). The vulnerability (CVE-2018-7800) is one of three fixes issued by Schneider last week. The firm also issued warnings and fixes for a code injection vulnerability (CVE-2018-7801) and SQL injection bug (CVE-2018-7802).
The code injection vulnerability is rated high (CVSS 8.8) and “could enable access with maximum privileges when remote code execution is performed.” The SQL Injection vulnerability is rated medium (CVSS 6.4) and “could give access to the web interface with full privileges,” Schneider Electric said.
Apart from the patch, the company also offers several ways to mitigate risk such as “set up a firewall to block remote/external access except by authorized users.”
The type of additional access an attacker could gain via a compromised EVLink Parking device remains unknown. The EVLink Parking device is part of a full EVLink Parking networked solution that includes the charging station, EVLink insights online portal, and vehicle maintenance and support services. These systems then link to a central system via the cloud for remote management.
Kaspersky Lab published a report earlier this month which highlighted multiple potential vulnerabilities affecting a wide range of electronic vehicle charging stations. Researchers analyzed one of the stations dubbed the ChargePoint Home and identified a raft of vulnerabilities that could give an attacker access to the device.
“All an attacker needs to do to conduct an attack is obtain Wi-Fi access to the network the charger is connected to. Since the devices are made for domestic use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by brute-forcing all possible password options, which is quite common,” Researchers from Kaspersky Lab said.
Researchers also found that that EV communication protocols, EV payment systems, and the security of backend communications were vulnerable to attacks.