Full Report
Demonstrated in China, probably applicable elsewhere Black Hat Asia Developers of rented internet of things infrastructure – stuff like public EV chargers and shared e-bikes – are prioritizing user convenience over security, and leaving themselves exposed to wide-scale denial of service attacks on their services.…
Analysis Summary
# Vulnerability: Large-Scale Denial of Service in Rented IoT Infrastructure (EV Chargers/E-Bikes)
## CVE Details
- **CVE ID**: N/A (Disclosed as architectural/implementation flaws at Black Hat Asia; no specific CVE assigned in the report)
- **CVSS Score**: Estimated 8.5 (High/Critical)
- **CWE**: CWE-287: Improper Authentication, CWE-321: Use of Hard-coded Cryptographic Keys, CWE-639: Instance-Level Authorization Bypass.
## Affected Systems
- **Products**: Public Electric Vehicle (EV) charging stations, shared e-bikes, and scooters.
- **Versions**: Globally applicable; 11 European shared mobility apps and multiple Chinese EV charging platforms were confirmed vulnerable.
- **Configurations**: Systems prioritizing user convenience/low-latency connectivity over backend verification; devices with exposed physical debugging interfaces.
## Vulnerability Description
The vulnerability stems from a systemic failure in the architecture of "Rented IoT" ecosystems. Researchers identified three primary technical flaws:
1. **Hardcoded Credentials**: Firmware contains shared authentication keys accessible via physical UART/debugging ports on the hardware.
2. **Broken Backend Authentication**: Backend APIs fail to verify if a request is coming from a legitimate physical device or a legitimate user session.
3. **Insecure ID Mapping**: Predictable or public device IDs (viewable in consumer apps) are used as the primary key for state changes without secondary authorization tokens.
By combining these, an attacker can create "phantom clients"—software emulations of the service’s mobile app—to send commands directly to the cloud backend.
## Exploitation
- **Status**: PoC available (Tool titled "IDScope" demonstrated by researcher Hetian Shi).
- **Complexity**: Medium (Requires hardware reverse engineering knowledge to extract initial keys, but low complexity to execute once the script is built).
- **Attack Vector**: Network (Remote exploitation of the backend API).
## Impact
- **Confidentiality**: High (Exposure of personal user information via backend access).
- **Integrity**: High (Ability to manipulate charging/rental states and bypass payment systems).
- **Availability**: High (Ability to remotely disable individual ports or entire city-wide networks of EV chargers and shared transport).
## Remediation
### Patches
- **Vendor-specific**: No universal patch exists. IoT providers must update mobile application APIs and rotate hardcoded firmware keys.
### Workarounds
- **API Rate Limiting**: Implement aggressive rate limiting on the backend to prevent automated "phantom client" scripts from scanning/disabling multiple units.
- **Zero-Knowledge Proofs**: Move away from simple ID-based commands to signed tokens generated by the physical hardware at the time of use.
## Detection
- **Indicators of Compromise**:
- High volumes of API requests originating from single IP addresses or non-standard mobile user agents.
- Systematic state changes (e.g., green/available to grey/disabled) across a geographic area in a short timeframe.
- **Detection methods**: Backend log analysis for "ID skipping" or sequential targeting of device IDs.
## References
- **Black Hat Asia Presentation**: "Weak security means attackers could disable all of a city's public EV chargers" - Hetian Shi, Tsinghua University.
- **General Article**: hxxps[:]//www[.]theregister[.]com/2026/04/24/black_hat_asia_iot_security/
- **Research Tool**: IDScope (Internal research tool).