Researchers discovered a serious vulnerability in the Autel MaxiCharger EV charger during the Pwn2Own Automotive 2024 competition in Tokyo. By using Bluetooth, hackers can gain complete control over a device without having to enter a password or PIN.
A team of researchers from Computest’s Sector 7 discovered during the Pwn2Own competition that Autel’s MaxiCharger EV charger is vulnerable to cyberattacks via Bluetooth connectivity. The vulnerability, designated CVE-2024-23958, allows hackers to bypass the device’s authentication mechanisms and gain access to its key functions. In addition, other vulnerabilities such as buffer overflows (CVE-2024-23959 and CVE-2024-23967) were discovered, which opens the possibility to take full control over the charger. Attackers can change the charging parameters or even completely disable the device.
The researchers were also able to access the device’s firmware by decrypting the download link. Inside the firmware, a code was discovered that allows you to completely bypass authentication via Bluetooth. Autel quickly released patches after the vulnerabilities were discovered, but researchers are calling for regular firmware updates and thorough security testing of such devices.
During the Pwn2Own Automotive 2024 competition, researchers discovered serious vulnerabilities in the Autel MaxiCharger EV charger. This vulnerability allows attackers to gain complete control over the device via Bluetooth, which poses a threat to electric car owners.
The Autel MaxiCharger vulnerability underscores the importance of cybersecurity for electric vehicle charging infrastructure. Regular firmware updates and thorough security checks are necessary steps to protect against potential threats.