Flaws in Schneider EV Chargers Could Allow Hackers to Take Control

Security vulnerabilities in some electric vehicle charging stations could make it hard for some drivers to get around if hackers used them to take over the devices.

Schneider Electric issued a security notification on December 18 about three vulnerabilities related to its EVlink Parking charging devices. One could allow an intruder to gain “maximum privileges,” the notice said. Schneider told customers to download a fix for the problems.

The security firm Positive Technologies said its experts detected the vulnerabilities. By taking advantage of the bugs, attackers could stop the devices from charging vehicles, make the stations unavailable or change the web interface, Positive noted in a statement on January 14.

The EVlink Parking charging station has been deployed in several countries in locations such as offices, hotels, supermarkets and fleet operations centers, the security company noted.

Other security holes in charging stations have been reported. Last year, Kaspersky Lab announced it had identified problems with both home chargers and public stations.

As the number of EVs on the road grows, along with networks of charging stations, charging stations may become more attractive targets for hackers, and cyber attacks against them might affect more consumers and businesses. Worldwide sales of new plug-in electric vehicles surpassed 1 million per year in 2017, while rising at a rate that could increase that volume to 4.5 million by 2020, the McKinsey consulting firm noted last year. That would take EVs from 1.3% of new sales in 2017 to about 5%.

Schneider ranked the most serious of the problems in the EVlink (CVE-2018-7800) as Critical. By using it, hackers could stop the charging process or switch the charger to reservation mode, which would prevent any customer from using it until that mode was turned off, Positive Technologies said. The flaw would also allow attackers to unlock the cable during the charging process by manipulating the socket locking hatch, allowing them to walk away with the cable.

In its notice, Schneider called this a “hard-coded credentials capability.” This type of security hole often involves default administrator credentials that may be discovered and publicized, leading to a danger of widespread attacks against the systems.

A code injection vulnerability in the EVlink, labeled as CVE-2018-7801, has a risk ranking of High. It could let hackers gain access to the system with maximum privileges and execute arbitrary commands.

The third flaw, CVE-2018-7802, rated Medium, is an SQL injection vulnerability that could allow hackers to bypass authorization and get access to the web interface with maximum privileges.

Operators of charging networks are quickly deploying fast-charging stations to keep up with the growth of EVs and make the vehicles more attractive to consumers. Tesla claims it has 1,422 charging stations in North America. Volkswagen’s Electrify America subsidiary, formed as part of the company’s settlement of smog-test cheating allegations, says it works with two other networks to offer about 12,500 chargers in the US. The EVgo network, which has announced cooperation with automakers including General Motors and Nissan, claims to be the largest public fast-charging network in the US, with more than 700 stations.

Recently, anti-EV protesters have reportedly blocked access to chargers, deliberately parking their ICE (internal combustion engine) vehicles in front of the chargers deliberately in a practice called “ICEing.” A more common situation is when drivers of conventional cars park in charging spaces accidentally. Tesla reportedly has started to install blocking devices to prevent cars from parking in front of its chargers in China.

Stephen Lawson is a freelance writer based in San Francisco. Follow him on Twitter @sdlawsonmedia.