EV charger Vulnerability Let Attackers Triggered an RCE via Bluetooth

The Autel MaxiCharger, a sophisticated EV charger with extensive hardware features, was found to be vulnerable to remote code execution via Bluetooth. 

Researchers discovered three vulnerabilities (CVE-2024-23958, CVE-2024-23959, and CVE-2024-23967) that allowed attackers to execute arbitrary code on the device without requiring any additional prerequisites. 

The vulnerabilities were exploited during the Pwn2Own Automotive 2024 competition in Tokyo, demonstrating the potential for malicious actors to compromise EV charging infrastructure.

They initially attempted to capture firmware updates by intercepting network traffic between the phone and charger. However, the update process involved the phone downloading the update and sending it directly to the charger via Bluetooth, making this approach ineffective. 

Then tried intercepting the phone’s network traffic using Burp Suite, discovering that the update process involved the app requesting firmware versions, sending this information to Autel’s server, and receiving URLs for updates. 

base64 encoded

The researchers encountered obfuscated URLs and tried deobfuscation techniques but found them challenging due to code obfuscation and anti-debugging measures in the app. 

By analyzing the obfuscated URLs, they identified a simple substitution cipher and successfully deobfuscated them to obtain the firmware files and then manipulated the current version number to obtain URLs for the latest firmware for most components, although one component required a different approach.

By attempting to decrypt a firmware file that was obfuscated with a repeating 256-byte pattern, they hypothesized that the pattern was the result of XORing the file with a 256-byte key. 

After trying various methods, including XORing and subtracting the key, they found that a combination of both operations was likely responsible for the obfuscation. 

While they were able to identify small fragments of readable text, attempting to decrypt the entire file using these methods was unsuccessful, suggesting that the obfuscation was more complex than initially anticipated.

The encryption process involves XORing the plaintext with a value b and then adding a. When subtracting the encrypted zero byte, essentially remove the b component. If the plaintext and b have no common bits, the XOR operation is equivalent to addition, leading to the original plaintext value. 

According to Sector 7, if there are common bits, the subtraction can result in errors due to carry propagation, often resulting in differences of powers of 2. 

UART debug logs

The charger’s firmware uses a hardcoded authentication token that can be extracted to bypass normal authentication, which allows anyone within BLE range to gain full control of the device without needing the manual’s QR code or the app’s authentication token. 

By understanding the function’s logic and extracting the hardcoded token, researchers were able to exploit the vulnerability and gain unauthorized access to the charger’s BLE interface.

The Autel MaxiCharger contains vulnerabilities that allow attackers to gain unauthorized access and control, which include a backdoor in the authentication process, a stack buffer overflow in the opcode 3 handler, and another stack buffer overflow in the ACMP message processing function. 

By exploiting these vulnerabilities, attackers can potentially gain remote code execution, manipulate charging parameters, and defraud users. The vulnerabilities have been addressed in version v1.35.00, and users are advised to update their devices to the latest version.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here