Black Hat , Endpoint Security , Events

Critical Remote Code Vulnerabilities in EV Chargers Exposed

Computest Sector 7's Thijs Alkemade on IoT and Security Risks in EV Chargers
Thijs Alkemade, security researcher, Computest Sector 7

The security of electric vehicle chargers is under scrutiny after the discovery of new vulnerabilities at the latest Pwn2Own contest, which pose significant risks to the EV infrastructure. The vulnerabilities include remote code executions, allowing attackers to take full control of the chargers via Wi-Fi or Bluetooth; backdoors exploits in authentication processes; and stack buffer overflows in the firmware, said Thijs Alkemade, security researcher at Computest Sector 7.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

"We found that if you connect over Bluetooth, there's normally some authentication procedure, but there was a backdoor. With just a specific token from the firmware, we could set up an authenticated connection, even though it wasn't our charger," Alkemade said.

Many of these vulnerabilities were relatively easy to exploit, and "these bugs were pretty shallow, so we didn't have to look very long to find them," he said. Such vulnerabilities might be more common in IoT devices, including EV chargers, than in traditional servers or desktops. This is primarily due to the difficulty of accessing firmware, which prevents many researchers from finding and reporting these flaws, he said.

In this video interview with Information Security Media Group at Black Hat 2024, Alkemade also discussed:

  • The challenges of obtaining firmware for vulnerability testing;
  • The prevalence of code execution flaws in IoT devices;
  • The importance of public firmware availability for security transparency.

Alkemade is responsible for advanced security research on commonly used systems and environments. He has nearly 15 years of industry experience and is known for discovering critical vulnerabilities in macOS and winning Pwn2Own competitions by hacking Zoom and ICS systems.


About the Author

Aseem Jakhar

Aseem Jakhar

Co-Founder, EXPLIoT

Jakhar is the co-founder of EXPLIoT. He founded null - an open security community platform in Asia. He also organizes Nullcon and hardwear.io security conferences.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.