Cyber Security News

Researchers Hacked Car EV Chargers To Execute Arbitrary Code

Researchers discovered flaws in the Autel MaxiCharger EV charger that make it potential to execute arbitrary code on the device by just placing it within Bluetooth range.

The vulnerabilities tracked as CVE-2024-23958, CVE-2024-23959, and CVE-2024-23967 were identified during Pwn2Own Automotive 2024 in Tokyo.

The Autel MaxiCharger has significantly the most extensive hardware feature set, including the ability for consumers to pick which Open Charge Point Protocol (OCPP) URL the charger will connect to.

Users can even configure a charger to function as a public charger, which entitles the owner to reimbursement for energy used and allows the charger to take any kind of RFID charging card.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Vulnerabilities Identified

Bluetooth Low Energy(BLE) Authentication (CVE-2024-23958)

The vulnerability, which has a CVSS base score of 6.5, enables attackers nearby the network to bypass authentication on Autel MaxiCharger AC Elite Business C50 charging station installations that are impacted.

To take advantage of this vulnerability, authentication is not necessary.

The issue stems from the BLE AppAuthenRequest command handler. If the handler receives an unsuccessful authentication request, it will fall back on hardcoded credentials.

This vulnerability allows an attacker to bypass the system’s authentication process.

The issue was reported by Synacktiv and the team during Pwn2Own Automotive 2024.

Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVE-2024-23959)

With a CVSS base score of 8.0, this vulnerability allows network-adjacent attackers to run arbitrary code on vulnerable Autel MaxiCharger AC Elite Business C50 charging stations.

This vulnerability requires authentication, but it is possible to bypass the current authentication system.

There is a particular issue in the way the AppChargingControl BLE command is handled.

The problem arises from the user-supplied data not being properly validated for length before being copied to a fixed-length stack-based buffer.

The issue was reported by Synacktiv and the team during Pwn2Own Automotive 2024

Buffer Overflow Remote Code Execution Vulnerability (CVE-2024-23967)

This vulnerability, which has a CVSS base score of 8.0, enables attackers remotely to run arbitrary code on Autel MaxiCharger AC Elite Business C50 charger installations that are impacted.

The vulnerability specifically relates to how base64-encoded data is handled in WebSocket communications.

The problem arises from the user-supplied data not being properly validated for length before being copied to a fixed-length stack-based buffer.

This vulnerability can be used by an attacker to run code within the context of the device.

The issue was reported by Daan Keuper, Thijs Alkemade, and Khaled Nassar of Computest Sector 7.

Patch Released

Version 1.35.00 fixes the vulnerabilities. According to the ZDI advisory, bounds checks were added to prevent buffer overflows, and the backdoor authentication token has been removed.

Hence, these issues emphasize the significance of adhering to industry standards strictly and practicing secure code, among other recommended practices.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago