Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable attackers to gain access to the system.
Affected are EVLink Parking floor-standing units (v3.2.0-12_v1 and earlier). The vulnerability (CVE-2018-7800) is one of three fixes issued by Schneider last week (PDF) impacting the electric charging stations. The company also issued warnings and fixes for a code injection vulnerability (CVE-2018-7801) and SQL injection bug (CVE-2018-7802).
The code injection bug is rated high (CVSS 8.8) and “could enable access with maximum privileges when a remote code execution is performed,” according to the security bulletin. The SQL Injection vulnerability “could give access to the web interface with full privileges,” the company said of the bug rated medium (CVSS 6.4).
EVLink Parking stations are typically found at offices, hotels, supermarkets and fleet hubs. The patch can be applied, but the company also offers a number of ways to mitigate risk such as “set up a firewall to block remote/external access except by authorized users.”
It’s unclear what type of additional access an attacker might gain via a compromised EVLink Parking device. The device itself is part of a full EVLink Parking networked solution that includes the charging station, EVLink insights (online portal) and vehicle maintenance and support services. These systems then link to a central system via the cloud for remote management.
A report issued earlier this month by Kaspersky Lab outlined a number of potential vulnerabilities effecting a wide range of electronic vehicle charging stations. Researchers looked into one of the stations, dubbed the ChargePoint Home offering, and found a raft of vulnerabilities (PDF) that could give an attacker unfettered access to the device.
“All an attacker needs to do to conduct an attack is obtain Wi-Fi access to the network the charger is connected to,” Kaspersky Lab researchers said. “Since the devices are made for domestic use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by bruteforcing all possible password options, which is quite common.”
Researchers noted that EV communication protocols are vulnerable to attack as is EV payment systems and the security of backend communications.
Credited for discovering the Schneider bugs is Vladimir Kononovich and Vyacheslav Moskvin, researchers with Positive Technologies.