About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Authentication bypass & Remote code execution in Schneider Electric EVlink Charging Stations- 558

Stefan Viehböck - Sec ConsultPosted 4 Years Ago
  • EVLink is an electric car charging station provided by Schneider Electric.
  • The first vulnerability is an authentication bypass. When using the admin web interface, there is a hardcoded HTTP cookie value. From reviewing the source code, this indicates that this authentication method is intended for local authentication by the "evse" service on the device. The hardcoded token is b35fcdc1ea1221e6dd126e172a0131c5a with username admin.
  • Once an attacker has bypassed the authentication, they can do lots of things. The device does NOT have a secure update mechanism. By uploading a malicious image, it is trivial to control the device. The reason for the insecure method is that a hardcoded key can be found on the device that is used for the "signing" (hashing) process.
  • Overall, a set of simple bugs that lead to the compromise of the device. A hardcoded password and improper use of cryptography led to the end of this device.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed