Security Advisory: Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers

Since the advent of electric vehicles, we’ve been observing a steady increase in the apparition of companies selling EV charging stations controllers. Some of them are using in-house developed firmwares based on RTOS, like Autel, and others are building their work from a starter pack sold by Charge Byte. Charge Byte sells EV charging stations controllers hardware with a minimal system and some kind of SDK so that you can pack update files for it. This is what Phoenix Contact is using for their CHAR-X controllers.

Even if multiple vendors are using OEM’d devices from Charge Bytes, the security level of the upper layer added by final vendors can vastly differ and this blog post will be a demonstration in how bad things can really get.

‍

It all started with an advisory published by Offensity where they demonstrate authenticated remote command execution as root on “cPH2 charging station produced by eCharge Hardy Barth GmbH”.

At the time we had recently integrated our PHP static analysis feature on the ONEKEY platform and we wanted to check if we could find more PHP vulnerabilities. We got the firmware from Hardy Barth website and loaded it up on our research platform.

‍

‍