Flaws could enable attackers to gain remote control over the device and stop the charging process
Positive Technologies experts Vladimir Kononovich and Vyacheslav Moskvin detected three vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which is used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. Affected firmware versions are 3.2.0-12_v1 and earlier. To eliminate the vulnerability, a new firmware version must be installed, which is available on the Schneider Electric official website.
The first vulnerability (CVE-2018-7800) enables access with maximum privileges to the charging station. A hacker can stop the charging process; switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off; and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable. Unauthorized execution of such commands may lead to financial losses in the energy sector. For electric car drivers, this means not being able to use their vehicles since they cannot be charged. The vulnerability is marked as critical.
In addition, the experts revealed a high-risk vulnerability, CVE-2018-7801, that enables criminals to execute arbitrary commands in the system. This bug allows hackers to gain access to the device with maximum privileges.
The third vulnerability, CVE-2018-7802 was rated medium. By exploiting this error, an attacker can bypass authorization and gain access to the web interface with full privileges.
"Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences," says Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies. "Attackers can actually block electric car charging and cause serious damage to the energy industry."
Positive Technologies experts have been improving the protection of Schneider Electric products for several years. They previously eliminated vulnerabilities in Schneider Electric's industrial process automation systems and fixed bugs in APC uninterruptible power sources, as well as in a data center monitoring tool.