Schneider patches three critical vulnerabilities found in EVlink charging stations
- Of the three vulnerabilities, one was rated as critical and the other two had been marked as ‘high risk’ and ‘medium’ on the severity scale.
- Customers using EVlink charging station with versions prior to 3.2.0-12_v1 are required to install the latest firmware.
Three security vulnerabilities which could allow attackers to halt the charging process in Schneider Electric’s EVlink parking charging station have been patched. These flaws were notified to the public on December 20, 2018, by the firm. Of these three vulnerabilities, one was rated as critical and the other two had been marked as ‘high risk’ and ‘medium’ on the severity scale.
Details about the flaws
The critical vulnerability, CVE-2018-7800, is a hard-coded credential bug and can allow attackers to gain access to the charging stations with maximum privileges. Once the hackers obtain control over the station’s web interface, they can manipulate the commands and can stop a car from charging. Furthermore, the flaw could also allow attackers to switch on the reservation mode of the charging station and making it inaccessible to customers.
The CVE-2018-7801 has been rated as high risk and is a code-injection vulnerability. It could allow attackers to execute arbitrary code and obtain unauthorized access with maximum privileges.
The CVE-2018-7802 is an SQL injection vulnerability and is marked as ‘medium’ on severity scale. The flaw could enable attackers to bypass authorization and gain full access to the station’s web interface.
"Exploitation of these vulnerabilities may lead to serious consequences. Attackers can actually block electric car charging and cause serious damage to the energy industry,” said Paolo Emiliani, industry and SCADA research analyst at Positive Technologies, ZDNet reported.
Customers who are using EVlink charging station with versions prior to 3.2.0-12_v1 are required to install the latest firmware. Users are also required to set up a firewall to block remote or external access to unauthorized persons.