Schneider Electric’s EVLink Charging Station Vulnerable to Attackers

• EVLink charging station found to have three serious vulnerabilities that are now fixed with a patch.
• Schneider Electric issued the fixes, along with the relevant warning and a list of “good practices”.
• Kaspersky’s report had already indicated quite a few severe vulnerabilities in relevant systems a few days ago.

Schneider Electric has issued a warning that informs of a set of critical vulnerabilities on its EVLink electric vehicle charging stations, and also released a security fixing update that should be used to patch the system as soon as possible. The company claims that the bugs impact floor standing units of firmware versions of 3.2.0-12_v1 and earlier, allowing attackers to gain remote access to the device or the web interface, and execute code with maximum privileges.

The three bugs were discovered by a security researchers team named “Positive Technologies”, and reported to Schneider Electric for fixing. Given the IDs CVE-2018-7800, 7801, and 7082, these bugs were rated as “critical”, “high”, and “medium” respectively. More specifically, the 7800 concerns a hard-coded credentials vulnerability that allow an attacker to gain access to the EVLink device, the 7801 refers to a code injection vulnerability that allows the potential remote code execution with maximum privileges, and finally the 7802 concerns an SQL injection vulnerability that allows full-privilege access to the web interface (EVLink Insights).

Schneider Electric doesn’t go into details about what an attacker could actually do after gaining access to a compromised EVLink device, but the most dangerous scenarios could include fiddling with the EV payment systems, the backend communications, or even the charging process itself. The manufacturer of the product recommends an immediate update with the provided patch and also presents a comprehensive set of generic security recommendations. These include the suggestion to never leave the cabinets in “Program mode”, scan USB drivers before connective to terminals, never connect laptops to the safety and control network of the system, and to always use VPNs when connecting to the device remotely.

This situation comes only a couple of days after Kaspersky Lab reported multiple exploitable vulnerabilities that are to be found in home electric charging units. Kaspersky’s report has actually showcased a number of security holes that could allow hackers to even take control of various systems of your vehicle, or your home’s WiFi network. As electric vehicles get more and more popular with the people, connected charging devices will get increasingly targeted by attackers, so the rapid identification and fixing of such issues by the vendors are critical. For now, it seems that the fixing action is happening quickly enough, and no sad stories have come out from these vulnerabilities yet. Hopefully, this will continue to be the case in 2019 as well.

Are you an EV owner? What type of charging system do you use for your vehicle? Let us know in the comments below, and also pay a visit to our Facebook and Twitter pages to learn more about what’s on in the tech world today.