Charge your e-car free at your neighbor's: Weak spots in level 2 wallboxes found

Attackers can exploit several security vulnerabilities in wallboxes with comparatively little effort and, for example, illegally tap into electricity. Dutch security researchers from Computest Security warn against this.

According to them, the security of wallboxes is just as poor as in other parts of the IoT sector: as they explained during their presentation at Blackhat 2024 in Las Vegas, the exploit for the Autel Maxi Charger was programmed within a morning. The result: the researchers can execute arbitrary code on the charging station.

The reason for the short development time is a combination of two facts: On the one hand, there are buffer overflows in the firmware that are comparatively easy to abuse. Secondly, there is a lack of protective mechanisms such as ASLR memory scrambling to prevent such memory error attacks.

Reaching the target via buffer overflow

The Enel Juice Box 40, for example, is susceptible to a buffer overflow in a logging function of the charging station that can be exploited via a Wi-Fi connection due to the lack of ASLR. Because the GeckoOS real-time operating system installed on the device has already reached the end of its service life, the manufacturer no longer provides updates. The wallboxes therefore remain vulnerable forever.

In order for the security researchers to be able to connect to the wallboxes via Wi-Fi at all, they make use of a feature that is probably intended for troubleshooting purposes and is also found in the Home Flex wallbox from Charge Point: If the WLAN connection between the charging station and WLAN router breaks down for a certain period of time, the wallboxes reactivate the Bluetooth module for initial configuration. This can be triggered by continuously sending data packets to the charging station for de-authentication.

In the case of the Charge Point wallbox running on Linux, attackers can reach their target directly via Bluetooth: the software component responsible for the initial connection to the owner's WLAN is susceptible to command injection attacks, allowing attackers to inject their own code.

What are the consequences?

When asked about the possible consequences of a successful hack in the wild, the security researchers first and foremost mention possible hardware damage: if an attacker switches off the temperature control in the firmware, for example, the wallbox can suffer irreparable heat damage.

In the case of the Autel Maxi Charger, free charging is also available. The device can be used by different users - for example, neighbors without their own wallbox. The owner is then reimbursed by the provider for the electricity used. The billing function apparently only runs locally on the charging station and can therefore be circumvented by a firmware hack.

Last but not least, attackers can also misuse the wallbox they control as a springboard into the owner's internal network or integrate it into an IoT botnet. It is not yet known if and when the vulnerabilities will be closed.

(emw)