EVlink Electric Vehicle Charging Stations Flaw Let Attackers Control Charging Station’s Web Interface

Schneider has found a flaw on December 14; this flaw has been impacting EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), and Smart Wallbox (EVB1A) devices.

The flaw discovered can easily allow any threat actor to take full control of the web interface of the charging station.

That’s why after detecting the flaw, the experts immediately noticed the customers and suggested them to promptly apply some mitigation or patches to keep themselves safe from this flaw. 

However, to exploit the bug, the threat actors need to have physical access to the charging station’s internal communication port, and not only that even it involves several disassembling proceedings like the disabling of the charging station compartment.

Affected Products & Versions

However, we have mentioned some products above that have been affected by this flaw. Now we have listed the flaws that have been affected by this flaw, and not only this but have also mentioned the versions. 

Here we have listed all the details below:-

  • EVlink City (EVC1S22P4 / EVC1S7P4) – All versions prior to R8 V3.4.0.2
  • EVlink Parking (EVW2 / EVF2 / EVP2PE) – All versions prior to R8 V3.4.0.2
  • EVlink Smart Wallbox (EVB1A) – All versions prior to R8 V3.4.0.2

Bug Effects

Here we have mentioned all the possible bug effects:-

  • Unauthorized use of the charging station.
  • Service interruptions.
  • Failure to send charging data records to the supervision system.
  • Unauthorized data modification. 
  • Disclosure of the charging station’s configuration.

Vulnerabilities

After investigating the whole flow of Schneider has noticed the vulnerabilities, and they have named them by CVE, and here below we have listed all the vulnerabilities:-

  • CVE-2021-22724
  • Score- 8.8(high)
  • This vulnerability enables the threat actors to implicate their actions.
  • CVE ID: CVE-2021-22725
  • Score-8.8(high)
  • This vulnerability enables the threat actors to execute forced actions when the malicious parameters are composed.
  • CVE ID: CVE-2021-22818
  • Score-7.5(high)
  • It enables the threat actors to acquire unauthorized access to the charging station web.
  • CVE ID: CVE-2021-22819
  • Score-6.5(medium)
  • This vulnerability generates unintended modifications to the product settings or to the user accounts.
  • CVE ID: CVE-2021-22820
  • Score-7.1(high)
  • This vulnerability allows the threat actors attacker to uphold unauthorized access over a hijacked session.
  • CVE ID: CVE-2021-22821
  • Score-9.3(critical)
  • This vulnerability helps to forward requests to unintended network targets while crafting malicious parameters.
  • CVE ID: CVE-2021-22822
  • Score-8.8(high)
  • This vulnerability generally helps the threat actors to simulate the user who manages the charging station. 

Remediation & Security Recommendations

However, for the affected devices, the security analysts have suggested specific guides. Apart from this, they have also suggested some general recommendations that we have discussed in the next sub-topic.

While all the devices that have reached the end of life must replace the charging station with the latest EVlink Parking and EVlink City product, as they are offering to determine this kind of issue.

The security analysts have mentioned some general security recommendations that can be applied in case of the link does work, and here they are mentioned below:-

  • At first, try to find control and safety system networks and then remote devices that are present behind firewalls.
  • One should install the physical controls.
  • Never leave the controllers in the “Program” mode and place them in locked cabinets.
  • Always connect the device to the preferred network.
  • Never allow mobile devices if they have connected to another network.
  • Try to minimize network vulnerability for all control systems.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.