Full Report
Demonstrated in China, probably applicable elsewhere
Analysis Summary
# Vulnerability: Authentication Bypass and DoS in Rented IoT Infrastructure (EV Chargers/Shared Mobility)
## CVE Details
- **CVE ID:** Not yet assigned (Research presented at Black Hat Asia 2024).
- **CVSS Score:** N/A (Estimated **8.1 - 9.1** High/Critical based on potential for large-scale DoS and data theft).
- **CWE:** CWE-287 (Improper Authentication), CWE-321 (Use of Hard-coded Cryptographic Key), CWE-807 (Reliance on Untrusted Inputs).
## Affected Systems
- **Products:** Public Electric Vehicle (EV) charging stations, shared e-bikes, and e-scooters.
- **Versions:** Multiple vendors across China and at least 11 identified providers in Europe.
- **Configurations:** IoT devices utilizing shared authentication keys in firmware and backend services that lack robust mobile app-to-server validation.
## Vulnerability Description
Security researcher Hetian Shi identified systemic flaws in the "Rented IoT" ecosystem. The vulnerabilities stem from a "convenience-first" design philosophy:
1. **Physical Interface Exposure:** Hardware units often include accessible debugging ports or UART connectors, allowing attackers to extract firmware.
2. **Hard-coded Credentials:** Firmware analysis revealed the use of shared authentication keys across entire device fleets.
3. **Broken Backend Authentication:** Backend services fail to properly verify the legitimacy of requests originating from mobile applications.
4. **Phantom Clients:** Attackers can use the researcher's "IDScope" tool to create virtual charging/rental sessions that the backend cannot distinguish from legitimate users.
## Exploitation
- **Status:** PoC available (Demonstrated by researcher at Black Hat Asia).
- **Complexity:** Medium (Requires hardware reverse engineering or use of specialized tools like IDScope).
- **Attack Vector:** Network / Physical (Initial key extraction may require physical access; subsequent DoS attacks can be performed remotely via the network).
## Impact
- **Confidentiality:** High (Personal information and user data of IoT service customers can be exposed via backend flaws).
- **Integrity:** High (Attackers can bypass payment systems to rent services at zero cost).
- **Availability:** High (Attackers can remotely disable individual ports or entire city-wide networks of EV chargers and mobility fleets).
## Remediation
### Patches
- No specific vendor patches have been publicly released globally. Providers are advised to update firmware to remove hard-coded keys and implement unique per-device certificates.
### Workarounds
- **Backend Validation:** Implement strict server-side validation of all client-side requests to ensure they originate from legitimate, physical hardware.
- **Hardware Hardening:** Physically secure or disable UART/debugging ports on publicly accessible IoT units to prevent firmware dumping.
## Detection
- **Indicators of Compromise:** Unusual spikes in "disabled" or "maintenance" status across geographic clusters; high volumes of API requests from single IP addresses acting as multiple diverse client IDs.
- **Detection Methods:** Monitoring for "Phantom Clients"—sessions that show active usage without corresponding telemetry from the physical unit's sensors.
## References
- **Black Hat Asia Presentation:** Hetian Shi (Tsinghua University) - "IDScope: Breaking the Rented IoT Ecosystem."
- **Article Link:** hxxps[:]//www[.]theregister[.]com/2024/04/19/rented_iot_security_black_hat_asia/