Schneider has fixed three vulnerabilities in one of its popular electric car charging stations, which security researchers said could have easily allowed an attacker to remotely take over the unit.
At its worst, an attacker can force a plugged-in vehicle to stop charging, rendering it useless in a “denial-of-service state,” an attack favored by some threat actors as it’s an effective way of forcing something to stop working.
The bugs were fixed with a software update that rolled out on September 2, shortly after the bugs were first disclosed, and limited details of the bugs were revealed in a supporting document on December 20. A fuller picture of the vulnerabilities, found by New York-based security firm Positive Technologies, were released today — almost a month later.
Schneider’s EVLink charging stations come in all shapes and sizes — some for the garage wall and some at gas stations. It’s the charging stations at offices, hotels, shopping malls and parking garages that are vulnerable, said Positive.
At the center of Positive’s disclosure is Schneider’s EVLink Parking electric charging stations, one of several charging products that Schneider sells, and primarily marketed to apartment complexes, private parking area, offices and municipalities. These charging stations are, like others, designed for all-electric and plug-in hybrid electric vehicles — including Teslas, which have their own proprietary connector.
Because the EVLink Parking station can be connected to Schneider’s cloud with internet connectivity, either over a cell or a broadband connection, Positive said that the web-based user interface on the charging unit can be remotely accessed by anyone and easily send commands to the charging station — even while it’s in use.
“A hacker can stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable,” said Positive.
“For electric car drivers, this means not being able to use their vehicles since they cannot be charged,” it said. The company also said that it’s also possible to charge a car for free by exploiting these vulnerabilities.
Positive didn’t say what the since-removed password was. We asked for it — out of sheer curiosity more than anything — but the company isn’t releasing the password to prevent anyone exploiting the bug in unpatched systems.
The researchers, Vladimir Kononovich and Vyacheslav Moskvin, also found two other bugs that gives an attacker full access over a device — a code injection flaw and a SQL injection vulnerability. Both were fixed in the same software update.
When reached, a Schneider spokesperson did not immediately have comment. On Tuesday, the company confirmed the bugs, adding: “There have been no reported incidents as a result of these potential vulnerabilities.”
Additional reporting: Kirsten Korosec.
Updated at 12:15pm ET: with additional details, including about the unreleased password, and updated again on Tuesday with a statement from Schneider.