EV Energy WebSocket Authentication Vulnerability Allowing Unauthorized Control of Charging Stations

A vulnerability exists in the WebSocket endpoints of EV Energy's charging station management platform, allowing unauthorized impersonation of charging stations and manipulation of data sent to the backend. This issue arises because the WebSocket connections to the OCPP (Open Charge Point Protocol) endpoints lack proper authentication. An unauthenticated attacker can connect to the WebSocket endpoint using a known or discovered charging station identifier and issue or receive OCPP commands as if they were a legitimate charger. This vulnerability could lead to unauthorized administrative control over the charging stations, disruption of charging services, and corruption of charging network data reported to the backend.

Impact

Exploitation of this vulnerability could result in unauthorized control over charging stations, allowing attackers to issue or receive commands as if they were legitimate chargers. This could lead to privilege escalation and disruption of charging services, causing a denial-of-service effect on the charging infrastructure.

Remediation

EV Energy did not respond to CISA's request for coordination. Contact EV Energy using their contact page for more information.