Schneider Electric has addressed several new vulnerabilities in its EVlink electric car charging stations, making them vulnerable to remote hack attempts. Schneider notified the availability of fixes on December 14 and advised consumers to apply them as soon as possible. The vulnerabilities have been discovered in EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), and Smart Wallbox (EVB1A) devices, and a few products that have reached the end of life.
Cross-site request forgery (CSRF) and cross-site scripting (XSS) issues that may be used to carry out operations on behalf of a valid user, and a flaw that can be used to brute-force access to a charging station’s web interface, are among the security vulnerabilities. A server-side request forgery (SSRF) vulnerability is the most significant concern, with a CVSS score of 9.3. According to Schneider, failure to act might result in tampering and compromising the charging station’s settings and accounts.
“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system and the modification and disclosure of the charging station’s configuration,” the industrial behemoth stated in its advisory.
The firm stated that exploiting the flaws needs physical access to the system’s internal communication port. Still, that attacks could also be conducted from the local network or the internet if the charging station is web-accessible.
It was pointed out that some of the vulnerabilities, such as the SSRF flaw, may be exploited by sending specially crafted queries with no user interaction. On the other hand, XSS and CSRF vulnerabilities exploitation necessitate some user activity (e.g., clicking on a link).
According to a cybersecurity researcher, these flaws were discovered as part of a bigger examination of electric car charging station management systems. The study’s full findings will be released next year; the researcher does not wish to reveal the identities of additional vendors or products targeted in the study at this time.