Researchers Hacked EV Car Chargers To Execute Arbitrary Code


EVs face significant cyber risks due to their reliance on interconnected systems and the increasing number of public charging stations, which often lack robust security measures. 

Vulnerabilities in EV software and charging infrastructure can expose vehicles to malware, unauthorized access, and potential control by hackers.

EHA

During Pwn2Own Automotive 2024 in Tokyo, cybersecurity researchers hacked EV car chargers to execute arbitrary code.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Researchers Hacked EV Car Chargers

At the Pwn2Own Automotive 2024 event, researchers exploited three EV chargers:- 

  • Autel MaxiCharger (MAXI US AC W12-L-4G)
  • ChargePoint Home Flex
  • JuiceBox 40 Smart EV Charging Station 

They executed arbitrary code via Bluetooth while focusing on the Autel MaxiCharger, and this uncovered the “CVE-2024-23958,” “CVE-2024-23959,” and “CVE-2024-23967” vulnerabilities.

The features of the charger include WiFi, Ethernet, Bluetooth, 4G LTE, RFID, LCD touchscreen, RS485, and a USB-C port.

Its hardware contained a GigaDevices GD32F407 Charge Control Module (ECC), ESP32-WROOM-32D for WiFi & Bluetooth, STM32F407ZGT6 Power Control Module (ECP), Quectel EC25-AFX for 4G LTE, and an unidentified LCD controller. 

Here the obfuscated URLs were decrypted using base64 encoding and character substitution on firmware acquisition.

The firmware components were downloaded from Amazon S3 URLs, and the update process included BLE communication between the app and charger.

At this point, by manipulating the reported version numbers to access current firmware files for analysis the security analysts bypassed the version checks.

Researchers reverse-engineered the Autel MaxiCharger’s firmware, decrypting obfuscated files using a 256-byte XOR key combined with addition or subtraction. 

They discovered critical vulnerabilities like a Bluetooth Low Energy (BLE) authentication bypass (CVE-2024-23958) exploiting a hardcoded 6-digit token and SHA256 hashing, and two stack buffer overflows – CVE-2024-23959 in BLE opcode 3, subcode 0 handler (60-byte buffer overflow), and CVE-2024-23967 in ACMP (Autel Cloud Management Protocol) base64-decoded JSON data (1024-byte buffer overflow). 

Exploits achieved arbitrary code execution and this also helped in bypassing the challenges like UART debugging and RTOS task scheduling. 

With vulnerabilities in the main controller, the ESP32 chip was found running ESP-AT firmware handled BLE. 

Besides this, the complete impacts include potential manipulation of charging parameters, energy misreporting for public charging via RFID cards, and network pivoting. 

To byapss the lack of ASLR, DEP, and stack cookies, the researchers’ team used Return-Oriented Programming (ROP).

The vulnerabilities affected OCPP (Open Charge Point Protocol) and ACMP connections. 

However, Autel addressed these in firmware v1.35.00, implementing bounds checks and removing the backdoor token, highlighting significant security concerns in EV charging infrastructure.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar



Source link