Cybersecurity specialists reported the detection of two critical vulnerabilities in two models of home chargers for electric cars. According to the report, exploiting these flaws would allow attackers to turn these devices on or off arbitrarily, in addition to restricting access to their rightful owners.
While the flaws have already been corrected, it is necessary for the owners of these computers to install the necessary updates to fully mitigate the exploitation risk. The chargers affected by these failures, Wallbox and Project EV, were approved by the British Department of Transport and apparently lack the safety measures when used with the companion application. The flaws were reported by Vangelis Stykas of Pen Test Partners.
About the Wallbox device, the researcher mentions that it is possible to take full control of the system in order to block the legitimate user of this device, thus preventing them from being able to charge their electric vehicles. On the other hand, Project EV has a poor back-end implementation, plus a completely outdated authentication mechanism, so threat actors could get administrator permissions and change the firmware of these devices.
Stykas believes that any user with minimal knowledge about these systems could complete a successful attack: “It doesn’t really take many skills to detect these flaws and find a way to exploit them,” the expert says.
The expert also mentions that, in case the affected devices were connected to a home WiFi network, it would be possible for hackers to have access to the vulnerable network: “Once connected to the affected network, they could send malicious traffic to the target user,” the Pen Test Partner report mentions. In other words, hackers could set up malicious websites to steal users’ passwords and even access their online banking platforms, so this is a risk that should be seriously considered.
The cybersecurity firm was able to contact the manufacturers to confirm that the flaws have already been corrected. The cybersecurity community retested these implementations, confirming that the patches released work. All users of affected devices are requested to update as soon as possible in order to eliminate the possibilities of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.