Update EVlink electric car charging stations software; critical vulnerabilities allow cyber criminals to burn down vehicles

Security teams at Schneider Electric announced the correction of multiple flaws in EVlink, its charging station system for electric vehicles. According to the report, successful exploitation of these flaws would allow threat actors to deploy denial of service (DoS) attacks.

EVlink charging points are installed on private properties, public parking lots and some public roads. The flaws reside in three families of EVlink products: City, Parking and Smart Wallbox. The company addressed a total of 13 flaws, including three critical flaws, eight high-severity flaws, and two more considered medium-severity.

The issue is primarily related to three vulnerabilities that received a Common Vulnerability Scoring System (CVSS) score of 9.4/10. The first of these flaws was described as an evasion of the authentication mechanism in EVlink (CVE-2021-22707), while the remaining flaws (CVE-2021-22730 and CVE-2021-22729) are credential coding errors and password flaws.

Schneider mentions that affected load point administrators should apply the firmware update to avoid being exposed to possible unauthorized access to the server of this deployment: “Access or authorized would allow manipulation and compromise of the accounts that manage the charging stations,” the company’s alert states.

It is worth mentioning that flaws can be exploited remotely if charging stations are exposed on the Internet, a very common practice and highly undesirable, say cybersecurity experts.

In this regard, the researcher Stefan Viehböck, in charge of this analysis, mentions that it is highly likely to find vulnerable devices exposed on the Internet using common tools such as Shodan or Censys: “Even in an internal network the administrators of these stations could be affected by phishing attacks and other hacking variants, “adds the expert.

The company’s report also mentions that flaws can be exploited by gaining physical access to the cargo station’s internal communication port. This attack requires disassembling the charging station cabinet or, in the case of a connected station, accessing the charging station’s monitoring system network.

The flaws are present in the R7 firmware, version v3.3.0.15, and were addressed in the R8 firmware, version v3.4.0.1, which was released this week.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.