NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric vehicles chargers) at 44con, demonstrating the cybersecurity risks. Discover the technical details and consequences of the flaws.
A recent presentation by McCaulay Hudson and Alex Plaskett from NCC Group at the 44CON conference in London, England revealed critical security risks within electric vehicle (EV) charging infrastructure.
The researchers, who won $70,000 for hacking the Phoenix Contact CHARX SEC-3100 EV charger controller, have now provided details of exploiting multiple zero-day vulnerabilities to gain full control of the device.
For your information, the vulnerabilities were discovered at the Pwn2Own Automotive 2024 event, a three-day contest organized by Trend Micro’s Zero Day Initiativezero-day-, held earlier this year and reported by Hackread.com.
The CERT/VDE advisory VDE-2024-022 identified two vulnerabilities in Phoenix Contact CHARX SEC-3xxx charge controllers. One, a High severity vulnerability (CVE-2024-6788- CVSS score 8.6), allowed unauthorized access before the firewall was fully initialized, potentially disrupting the EV charger’s operation or gaining sensitive data.
The second is a Medium severity vulnerability (CVE-2024-3913- CVSS score 7.5), allowing an attacker to reset the user-app account password, potentially granting elevated privileges to limited users. Despite the severity of the second vulnerability, it could still allow an attacker to gain unauthorized access and disrupt the device’s operation.
Plaskett and Hudson spoke about how they successfully exploited vulnerabilities in the EV charger controller for the first time at 44Con (PDF).
As per their findings (PDF), after a firmware update, the device reset the password for a pre-defined user account (“user-app”) to its default value (“user”), allowing them to gain initial access via SSH. By running a DHCP server, they could trick the device into switching from server mode to client mode, exposing additional attack vectors, uploading malicious scripts, and manipulating configuration settings.
Researchers could chain together multiple seemingly low-risk vulnerabilities to escalate their impact and achieve code execution on the charger controller. Both vulnerabilities led to Remote Code Execution, granting them complete control over the charger.
The compromised chargers have the potential for widespread attacks in real-world deployments, researchers noted. Attackers could exploit the flaws to shut down entire charging stations or launch ransomware attacks.
Moreover, attackers can deface charger displays, steal data from connected vehicles, integrate them into botnets for coordinated attacks, disrupt charging services through DoS attacks, and manipulate charging processes to steal electricity or commit payment fraud, researchers noted.
Thankfully, the vulnerabilities have since been patched. However, researchers emphasize t the need for EV charging infrastructure manufacturers and operators to prioritize security, as the number of charging stations is expected to rise, necessitating robust protection.
