Schneider Electric patches critical security vulnerabilities in EVlink electric vehicle’s charging stations which could have lead to Denial-of-service(DoS) attacks. The reported vulnerabilities were as disclosed, 13 in total. Three of them being considered critical, eight of them considered as ‘high severity’ and the remaining two as ‘medium severity’.
City, Parking, and Smart Wallbox are the three EVlink product ranges that are affected through the vulnerabilities. The EVlink charging stations are installed in public car parks, private properties and other places mainly for on-street charging.
The EVlink owners that are affected who do not update their firmware may risk potentially unauthorised access to the webserver of the charging stations, which may lead to the manipulation and tampering of the settings and user accounts as warned by Schneider Electric in their security report.
However if the charging stations are connected with the internet, that increases the risk for the owners as this vulnerability could then be exploited remotely as well.
Moreover, the security researcher Stefan Viehböck who was involved in finding two of the disclosed vulnerabilities warned that “some affected chargers [are] directly accessible from the internet based on Shodan/Censys searches”. As told, even if the charging station is not exposed to the internet it could still be exploited if an attacker maintains a physical access to its internal communication port. This indicates us of the increased risk that the charging station owners have if they’re unable to apply their firmware update.
The discussed vulnerabilities were present and affect the firmware version R7, while it has been patched with the firmware version R8 which was issued on July 13.
In conclusion, there is a need for Schneider Electric to conduct a detailed security audit of their entire product ranges as there might be other similar vulnerabilities that exist in their product line that could affect the masses and the potential damage might be greater than how it was this time.
Have anything to say? Share it in comments.