"New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking"

Schneider Electric has released patches for flaws found in its EVlink electric vehicle charging stations. The security vulnerabilities affect EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), Smart Wallbox (EVB1A) devices, and some end-of-life (EOL) products. Tony Nasr is the researcher credited for discovering the seven vulnerabilities in these charging stations. They include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs, which attackers could exploit to perform actions on behalf of a legitimate user. The security holes also include a weakness that can be used to gain access to the web interface of a charging station through brute-force attacks. Another one of the flaws, given a CVSS score of 9.3, is a server-side request forgery (SSRF) vulnerability. According to Schneider Electric, the failure to patch or mitigate these flaws could result in the charging stations' settings and accounts being altered and compromised. The tampering of such elements could lead to denial-of-service (DoS) attacks, resulting in unauthorized use of the charging station, service interruptions, and more. Exploiting the Internet-connected charging stations does not require the attacker to have access to the Local Area Network (LAN). The adversary would scan the Internet for viable electric vehicle charging stations before trying to take advantage of their security flaws. However, if the charging station cannot be accessed via the Internet, the adversary is assumed to have access to the LAN through Wi-Fi network password cracking or other malicious activity. This article continues to discuss the new flaws putting electric vehicle charging stations at risk of remote hacking. 

Security Week reports "New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking"