Schneider Electric EV Charger Vulnerability: Risks and How to Protect Your Smart Home

  • Thread Author
Ah, vulnerabilities in connected devices—it's the plot twist we all saw coming in the age of "smart everything." This time, the newest star of the security drama is Schneider Electric's EVlink Home Smart and Schneider Charge EV chargers. With cybersecurity smack dab in the spotlight, Schneider's electric vehicle chargers have been found susceptible to a vulnerability that might cause you to scratch your head and lock down your home network. Here's the deep dive you need to understand what's happening, the risks involved, and how to safeguard your digital front door.

Compact Schneider Electric EV charger with connected cables on a hardwood floor indoors.
🚨 A Closer Look at the Vulnerability

Executive Summary

The vulnerability has been assigned the CVE ID: CVE-2024-8070, with a "spicy" CVSS v3 score of 8.5 out of 10, indicating a high level of concern. The cherry on top? The attack complexity is labeled as “low,” meaning it's relatively easy for bad actors to exploit.
The issue resides in cleartext storage of sensitive information (CWE-312). Essentially, Schneider Electric's firmware for these devices is saving sensitive credentials in plain text, making them accessible to anyone with a knack for peeking inside firmware binaries.
In layman's terms: Imagine storing the keys to your front door under the doormat labeled “doormat.” Not ideal.

Devices Affected

Here’s the gear in question:
  • EVlink Home Smart Charging Stations: All versions prior to 2.0.6.0.0
  • Schneider Charge Charging Stations: All versions prior to 1.13.4
Before shrugging this off, review your setup. If you’re rocking one of these devices, it's update time (more on that in a bit).

🚦 Why This Matters to You

You might think, “I'm not running some industrial factory—I'm just charging my EV at home.” Fair point. But here's the kicker: Exploiting this vulnerability could expose sensitive credentials stored on your charger, giving attackers the ability to fiddle with firmware or hardware beyond what’s allowed.

Wider Implications

  • Device Tampering: If someone messes with your firmware, they could inject malicious code. This could result in charging disruptions—or worse, compromise the entire network that houses the charger.
  • Backdoor Security Breach: Since EV chargers are part of the smart home ecosystem, compromising one device could act as a backdoor into your Wi-Fi network, stealing personal data from other connected devices.
Think about it: a nosey hacker in the neighborhood with the right skills could poke their way into your smart home just by targeting this charger. And while this vulnerability isn't remotely exploitable, once someone has local access (think physical tampering or access to firmware files), things could spiral.

🔎 Mitigations and Fixes from Schneider Electric

To Schneider's credit, they're on this faster than Windows delivers monthly updates. Here's what they recommend to squash this bug.

Firmware Updates

Both devices have patches. You need these, like yesterday.
  • EVlink Home Smart: Update to version 2.0.6.0.0 or later available via the Wiser app.
  • Schneider Charge: Update to version 1.13.4 or later similarly rolled out via the Wiser app.

How to Get the Update

Chances are if your charger is connected to Schneider's Wiser application, these updates will roll in automatically. But don’t be passive—proactivity goes a long way:
  • Check the Firmware Version: Dive into the settings page of your charging station within the Wiser app.
  • Verify Automatic Updates: Ensure your device is online and properly connected to your app interface; otherwise, the update won’t stick.
For new installations, Schneider Electric enforces a fix through its eSetup commissioning application, so rest assured the system will be buttoned up before coming online.

Proactive Recommendations

Schneider Electric has also provided general cybersecurity tips to bolster overall security:
  • Isolate Devices: Use separate network segments (e.g., guest networks or VLANs for IoT devices).
  • No Port Forwarding: Public-facing IP addresses are a no-go; these devices are safer when hidden behind routers/firewalls.
  • Lock Down Your Wi-Fi: Use WPA3 (or WPA2 if that’s all you’ve got) encryption to secure your home network.
  • Physical Security: Treat your chargers like high-priority tech—inspect them for signs of tampering every now and then.
Schneider takes this seriously, and so should you.

🛑 The Bigger Cybersecurity Picture for EV Enthusiasts

As charging becomes integral to your day-to-day routine, the ecosystem of vehicles, chargers, and apps grows dangerously appealing to attackers. Vulnerabilities like this reveal why manufacturers—and owners—need to take cybersecurity seriously:
  • EV Industry Risks: Charging systems tie directly to power grids, making them critical if exploited on a broader scale.
  • Connected Homes at Risk: From smart refrigerators to EV chargers, vulnerabilities can act as stepping stones for cybercriminals targeting everything from your bank account to health records.
Remember, no fortress is impenetrable, but you can still make yours less of an open door and more of a locked vault.

🤔 Where Windows Users Fit In

While this isn’t a Windows-specific story, it’s a reminder to practice good “digital hygiene” across all devices in your ecosystem. Be it a laptop, tablet, smart thermostat, or EV charger, vulnerabilities can creep in anywhere data flows.
For the tech-savvy Windows user out there: leverage applications like Wireshark to detect unusual network traffic or Windows Defender Firewall Rules to segment your local network. Visualize it as giving each of your smart devices a secret club—only members get interaction rights.

Final Thoughts​

Here's the reality: smart tech and connected devices are amazing, but every new "feature" often doubles as a new "attack surface." Schneider Electric caught this issue and provided solutions, but it’s ultimately on users like us to stay vigilant.
So, if you own an EV charger and it's on the list, don't hit snooze on that update reminder. And yes, start naming your networks something other than "12345."
Until next time, power up and patch up, Windows warriors!

Source: CISA Schneider Electric EVlink Home Smart and Schneider Charge | CISA
 

Last edited:
Back
Top