From Pwn2Own Automotive: Taking Over the Autel Maxicharger
This blog highlights two vulnerabilities that were disclosed by researchers from Synacktiv in the Autel Maxicharger firmware at the Pwn2Own Automotive 2024 event and how Autel responded to and patched these in their latest firmware release.
At the Pwn2Own event, the Synacktiv researchers demonstrated two unique remote attacks on the Autel Maxicharger running firmware v1.32 that demonstrated RCE. Autel was later informed of these issues and they responded with firmware update v1.35 before ZDI publicly disclosed the research to the public. The first vulnerability we discuss in this blog was addressed in ZDI-24-851, while the second is covered by ZDI-24-852. In this blog, we describe the reverse engineering process used to find the vulnerabilities in the original firmware and how ZDI observed the corrected code in the new firmware.
The first vulnerability disclosed was an issue with a Bluetooth function that handles charging control. The researchers were able to send malicious code within a Bluetooth Low Energy (BLE) message and insert it into the target’s memory to take control of this code. This is because the v1.32 firmware did not limit the client message length it stores in memory. The researchers could add the malicious code in their message to the Autel charger, overflow the receive buffer that was allocated, and ultimately take control of the device. We extracted both the v1.32 and v1.35 firmware versions from the Autel charger and reversed both binaries using Ghidra. Utilizing Ghidra’s versioning feature, a comparison of the two firmware versions was done using the AppChargingControl function. As shown in the screenshot below, the left panel (v1.32) simply copies a client message of any length directly to memory. On the right panel (v1.35), a length check was added by Autel to limit the client message length to the length of the memory buffer ( 0x3D bytes).
Figure 1 - A comparison of the v1.32 and v1.35 firmware versions
This added condition on the client length should now prevent buffer overflow by a remote attacker when this function is called.
The second issue reported by researchers was located in a similar reversing process using Ghidra. Both firmware versions were extracted and then compared side by side in Ghidra’s versioning tool to observe the vulnerability and its associated patch. The vulnerability consists of a function that authenticates Wi-Fi credentials but contains a back door with hard-coded credentials. The screenshot below again shows v1.32 code in the left panel and v1.35 code in the right panel. The highlighted code shows the back door that was removed between the two code versions.
Figure 2 - Comparing v1.32 to v1.35 to show the removal of the back door
In this patch, the back door was completely removed in v1.35. In theory, this should now require unique WiFi credentials to gain access.
Conclusion
It is good to see these bugs patched by the vendor as they were particularly easy to exploit without mitigations in the system. EV chargers are being rapidly deployed in homes around the world and represent safety risks when not secured. We are looking forward to Automotive Pwn2Own again in January 2025 and will see if EV charger vendors have improved their product security. Look out for our upcoming rules, targets, and contest announcements soon, and we hope to see you there.
Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.