With relatively little effort, attackers can target many vulnerabilities in wall boxes and, for example, illegally draw electricity. Dutch security researchers from Computest Security warn of this.
advertisement
According to them, the security of wall boxes is just as bad as in other parts of the IoT sector: as they explained during their presentation at Blackhat 2024 in Las Vegas, the Autel Maxi Charger exploit was programmed within a single morning. The result: the researchers were able to execute arbitrary code on the charging station.
The reason for the short development time is a combination of two facts: on the one hand, there are buffer overflows in the firmware that are relatively easy to abuse. On the other hand, there is a lack of protection mechanisms such as ASLR memory encryption to prevent these memory error attacks.
Reaching destination via buffer overflow
For example, due to the lack of ASLR, the Enel Juice Box 40 is vulnerable to a buffer overflow in the charging station's logging function that can be exploited via a Wi-Fi connection. Since the GeckoOS operating system installed on the device has already reached the end of its life, the manufacturer no longer provides updates. Wall boxes remain vulnerable forever.
In order for security researchers to be able to connect to the wallboxes via Wi-Fi, they take advantage of a feature that is probably intended for troubleshooting and that the Home Flex wallbox from Charge Point also has: it disconnects the Wi-Fi connection between the charging station and the Wi-Fi router together for a certain period, and the wallboxes reactivate the Bluetooth module for initial configuration. This can be triggered by continuously sending data packets to the charging station to deauthenticate.
In the case of the Charge Point wallbox running on Linux, the attackers reach their target directly via Bluetooth, among other things: the software component responsible for the initial connection to the owner's WLAN is vulnerable to command injection attacks, allowing the attackers to inject their own code.
What are the possible consequences?
When security researchers were asked about the potential consequences of a successful hack in the wild, they first mentioned potential hardware damage: if an attacker turned off the temperature control in the firmware, the wall box could suffer irreparable thermal damage.
In the case of the Autel Maxi charger, you also get free charging. The device can be used by different users – for example neighbors who do not have their own receiver. The owner is then reimbursed by the provider for the electricity used. The billing function seems to only work locally at the charging station and can be disabled using a firmware hack.
Last but not least, attackers could also misuse the wallbox they control as a stepping stone to the owner’s internal network or integrate it into an IoT botnet. It is currently unknown if and when the vulnerabilities will be closed.
(to)
