Researchers Hacked Car EV Chargers To Execute Arbitrary Code

Researchers discovered flaws in the Autel MaxiCharger EV charger that make it potential to execute arbitrary code on the device by just placing it within Bluetooth range.

The vulnerabilities tracked as CVE-2024-23958, CVE-2024-23959, and CVE-2024-23967 were identified during Pwn2Own Automotive 2024 in Tokyo.

The Autel MaxiCharger has significantly the most extensive hardware feature set, including the ability for consumers to pick which Open Charge Point Protocol (OCPP) URL the charger will connect to.

Users can even configure a charger to function as a public charger, which entitles the owner to reimbursement for energy used and allows the charger to take any kind of RFID charging card.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Vulnerabilities Identified

Bluetooth Low Energy(BLE) Authentication (CVE-2024-23958)

The vulnerability, which has a CVSS base score of 6.5, enables attackers nearby the network to bypass authentication on Autel MaxiCharger AC Elite Business C50 charging station installations that are impacted.

To take advantage of this vulnerability, authentication is not necessary.

The issue stems from the BLE AppAuthenRequest command handler. If the handler receives an unsuccessful authentication request, it will fall back on hardcoded credentials.

This vulnerability allows an attacker to bypass the system’s authentication process.

The issue was reported by Synacktiv and the team during Pwn2Own Automotive 2024.

Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVE-2024-23959)

With a CVSS base score of 8.0, this vulnerability allows network-adjacent attackers to run arbitrary code on vulnerable Autel MaxiCharger AC Elite Business C50 charging stations.

This vulnerability requires authentication, but it is possible to bypass the current authentication system.

There is a particular issue in the way the AppChargingControl BLE command is handled.

The problem arises from the user-supplied data not being properly validated for length before being copied to a fixed-length stack-based buffer.

The issue was reported by Synacktiv and the team during Pwn2Own Automotive 2024

Buffer Overflow Remote Code Execution Vulnerability (CVE-2024-23967)

This vulnerability, which has a CVSS base score of 8.0, enables attackers remotely to run arbitrary code on Autel MaxiCharger AC Elite Business C50 charger installations that are impacted.

The vulnerability specifically relates to how base64-encoded data is handled in WebSocket communications.

The problem arises from the user-supplied data not being properly validated for length before being copied to a fixed-length stack-based buffer.

This vulnerability can be used by an attacker to run code within the context of the device.

The issue was reported by Daan Keuper, Thijs Alkemade, and Khaled Nassar of Computest Sector 7.

Patch Released

Version 1.35.00 fixes the vulnerabilities. According to the ZDI advisory, bounds checks were added to prevent buffer overflows, and the backdoor authentication token has been removed.

Hence, these issues emphasize the significance of adhering to industry standards strictly and practicing secure code, among other recommended practices.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar