SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Sternum & ChargePoint secure Home Flex against IoT vulnerabilities
Fri, 26th Jan 2024

Internet of Things (IoT) security company Sternum has joined forces with ChargePoint to bolster security for the ChargePoint Home Flex after discovering crucial vulnerabilities.

The two discovered weak points in the widely used electric vehicle charging devices during an extensive research project. The vulnerabilities identified by Sternum comprised potential weakness involving the reverse SSH tunnel and outdated versions of the NTP client and HTTP server.

Through assistance from Sternum IoT, ChargePoint was able to address these flaws through its latest firmware update which disabled the HTTP server and refreshed the NTP client. This successfully remedied weaknesses in the CPH50 device and improved the already impressive security features of the product.

Teza Mukkavilli, Chief Information Security Officer of ChargePoint, emphasises that his company is committed to ensuring the integrity of all customer data, stating that, "Through this collaboration, we've implemented critical enhancements to Home Flex. Our focus remains on delivering a convenient, dependable, and safe EV charging experience for all drivers."

To identify the flaws, Sternum analysed three distinct iterations of the ChargePoint Home Flex device. After conducting meticulous hardware and software security research, the experts were then able to gain access to the device's firmware, and secured a root shell via the JTAG headers on the device.

In relation to the identified weaknesses, Sternum found several vulnerabilities. The SSH connections can be exploited if an attacker waits for an on-demand connection between the server and the device.

Further vulnerabilities were discovered in outmoded versions of the device software, including the potential to forward target ports, and exploiting them for unauthorised access or manipulation. Also identified were an outdated HTTP server, a deprecated NTP client with known susceptibilities, and a device certificate with an unlimited expiration time.

The experts at Sternum have warned that due to the key pair dumping from the device, an attacker could feasibly create their own tunnel after authenticating to ChargePoint's central server, presenting a potentially dangerous avenue for unauthorised access.

However, Sternum has already collaborated with ChargePoint to address the vulnerability. This has led to necessary updates to the software, which now includes patching the NTP client, disabling the HTTP server and defaulting the SSH connection to 'on-demand'. This response from ChargePoint emphasises the importance and necessity of securing critical infrastructure.

The vulnerability serves as a stark reminder of the wider challenges in securing IoT devices, particularly those incorporated into critical infrastructure such as EV charging stations. It emphasises the urgent need for continual vigilance and regular updates in the IoT landscape to protect against ever-evolving cybersecurity threats.

In this light, Sternum reiterates the necessity of ensuring the ongoing security and reliability of IoT devices and infrastructure, including EV charging systems. The company is committed to continuing collaborations with ChargePoint and other IoT device manufacturers to safeguard against future vulnerabilities.