Autel MaxiCharger Vulnerability CVE-2024-23958

11 September 2024 2 minutes Author: IronMind

Researchers discovered a serious vulnerability in the Autel MaxiCharger EV charger during the Pwn2Own Automotive 2024 competition in Tokyo. By using Bluetooth, hackers can gain complete control over a device without having to enter a password or PIN.

A team of researchers from Computest’s Sector 7 discovered during the Pwn2Own competition that Autel’s MaxiCharger EV charger is vulnerable to cyberattacks via Bluetooth connectivity. The vulnerability, designated CVE-2024-23958, allows hackers to bypass the device’s authentication mechanisms and gain access to its key functions. In addition, other vulnerabilities such as buffer overflows (CVE-2024-23959 and CVE-2024-23967) were discovered, which opens the possibility to take full control over the charger. Attackers can change the charging parameters or even completely disable the device.

The researchers were also able to access the device’s firmware by decrypting the download link. Inside the firmware, a code was discovered that allows you to completely bypass authentication via Bluetooth. Autel quickly released patches after the vulnerabilities were discovered, but researchers are calling for regular firmware updates and thorough security testing of such devices.

During the Pwn2Own Automotive 2024 competition, researchers discovered serious vulnerabilities in the Autel MaxiCharger EV charger. This vulnerability allows attackers to gain complete control over the device via Bluetooth, which poses a threat to electric car owners.

The Autel MaxiCharger vulnerability underscores the importance of cybersecurity for electric vehicle charging infrastructure. Regular firmware updates and thorough security checks are necessary steps to protect against potential threats.

Other related articles
News
Read more
14,000 medical workers are at risk
The MNA Healthcare data breach exposed the personal data of more than 14,000 healthcare professionals. The data breach included encrypted Social Security Numbers (SSNs), temporary passwords and other data that increases the risk of financial fraud and identity theft. The company has already blocked access to the leak, but the threat remains.
81
Found an error?
If you find an error, take a screenshot and send it to the bot.