The Autel MaxiCharger, a popular EV charger, was a target at Pwn2Own Automotive 2024. This article details the vulnerabilities discovered (CVE-2024-23958, CVE-2024-23959, and CVE-2024-23967), focusing on how a Hacked Autel Firmware could be exploited. We achieved arbitrary code execution using only a Bluetooth connection.
Decoding the Autel MaxiCharger’s Secrets: Firmware Acquisition and Analysis
The initial challenge was obtaining the firmware. Updates were delivered via Bluetooth from the Autel app after a server-side check. The update URLs were obfuscated using a simple substitution cipher and base64 encoding. Decrypting these URLs allowed us to download the firmware files directly from Amazon S3.
However, the downloaded files were further obfuscated using a combination of XOR and addition with 256-byte keys. A manual decryption process, akin to solving a complex crossword puzzle, was employed to recover the firmware. This involved recognizing string literals and leveraging knowledge of embedded libraries like mbedTLS.
Exploiting Bluetooth Vulnerabilities: Authentication Bypass and Buffer Overflows
With the decrypted firmware, the focus shifted to Bluetooth vulnerabilities. The ESP32-based BLE implementation, utilizing the ESP-AT firmware, presented several weaknesses.
Authentication Bypass (CVE-2024-23958)
The authentication handshake involved a SHA256 hash comparison. However, the charger utilized a hard-coded authentication token alongside the user-specific token. This backdoor allowed authentication with any charger using the extracted hard-coded token, bypassing the legitimate authentication process.
Buffer Overflow Vulnerabilities (CVE-2024-23959 and CVE-2024-23967)
Two stack buffer overflows were identified. The first (CVE-2024-23959) resided in an opcode handler for charging process parameters, allowing oversized BLE packets to overwrite saved registers, including the program counter. The second (CVE-2024-23967) was found in the ACMP (Autel Cloud Management Protocol) connection handler. Manipulating the data field in JSON messages sent via this connection triggered a base64 decode operation that wrote to a fixed-size buffer without length validation.
Both vulnerabilities were exploitable due to the lack of stack cookies, ASLR, and DEP. ROP gadgets were used to dynamically determine the stack address and execute shellcode delivered via the oversized packets. Initially, unstable UART logs hindered debugging, but grounding the mounting holes resolved this issue, enabling confirmation of code execution.
Impact of Hacked Autel Firmware: Safety, Network Security, and Financial Fraud
The impact of these vulnerabilities is significant. A compromised charger could be updated with unsigned firmware, potentially bypassing safety mechanisms and causing damage or disrupting the power grid. Network access could be compromised through WiFi or Ethernet connections.
Most alarmingly, the MaxiCharger’s “public charging” feature, enabling payment via RFID cards, creates a potential for financial fraud. Hacked firmware could manipulate reported energy consumption, defrauding charging card issuers.
Conclusion: Autel MaxiCharger Vulnerabilities Highlight Security Concerns in EV Charging Infrastructure
The Autel MaxiCharger vulnerabilities underscore the need for robust security in EV charging infrastructure. Simple obfuscation techniques and lack of basic memory protections facilitated exploitation. The potential consequences, ranging from safety risks to financial fraud, highlight the critical need for comprehensive security assessments and proactive patching in this evolving landscape. The vulnerabilities have been patched in firmware version v1.35.00.
