CISA has just released a new vulnerability alert, this time in regards to all versions of the electric vehicle (EV) charging devices produced by alpitronic.
The alpitronic Hypercharger EV Charger is a high power, high efficiency charging station, and alpitronic has been developing parts for the charger since 2009, and is currently used globally.
The vulnerability stems from a potential misconfiguration, whereby the device can expose a web interface protected by authentication.
If a user hasn’t changed the default credentials, which could a significant amount of users, an attacker can use the publicly available defaults to access the device with administrator privileges.
Successful exploitation of this vulnerability could result in an attacker disabling the device, bypassing payment, or accessing payment data.
Response To Vulnerability Alert
Alpitronic has advised users to change default passwords on all charging devices to enhance security. They recommend connecting the device interface to internal networks with controlled access, avoiding public internet exposure.
Upon discovering security vulnerabilities, alpitronic worked with clients to disable public interfaces and remind them about the risks of using default credentials.
They are also implementing security measures for existing and new devices, including unique passwords. New passwords can be obtained via QR code inside the charger or through a portal.
CISA has recommended minimising network exposure, using firewalls, and securing remote access with VPNs while keeping VPNs updated and ensuring connected devices are secure.
