Three different vulnerabilities in the Schneider Electric EVlink Parking electric vehicle charging station, which could have allowed an attacker to halt the charging process, have been patched, according to Positive Technologies.
Researchers discovered the vulnerabilities, CVE-2018-7800, CVE-2018-7801 and CVE-2018-7802, in charging stations used at parking environments in several countries, including at offices, hotels, supermarkets, fleets and municipals. The vulnerabilities reportedly affect EVLink Parking v3.2.0-12_v1 and earlier.
“Schneider Electric products are widely used in countries all over the world where the electric vehicle industry is developing. Exploitation of these vulnerabilities may lead to serious consequences,” says Paolo Emiliani, industry and SCADA research analyst at Positive Technologies said in a press release. “Attackers can actually block electric car charging and cause serious damage to the energy industry.”
According to today's news post, if exploited, the vulnerabilities would enable cyber-criminals to stop the charging process for vehicles plugged into the affected stations, as well as unlock and steal the charging cables.
Specifically, CVE-2018-7800 and CVE-2018-7802 gave attackers privileged access to the charging station so that a hacker could “stop the charging process, switch the device to the reservation mode, which would render it inaccessible to any customer until reservation mode is turned off, and even unlock the cable during the charging by manipulating the socket locking hatch, meaning attackers could walk away with the cable.”
In addition, exploitation of the second vulnerability enabled access to the web-interface, where an attacker could directly manage the operating system and make changes to files and configurations or add new users or back doors.
Schneider stated that customers can set up a firewall to block remote/external access except by authorized users as a risk mitigation strategy and recommended several cybersecurity best practices, including locating control and safety system networks and remote devices behind firewalls, and keeping those isolated from the business network.
“Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices,” the security notification stated.