Hello, I wanted to share an incident with shared certificates and keys on EV charger devices. I discovered this while investigating another security issue. (The devices were shipped with default credentials for HTTP authentication, see [1].)
Devices of the Hypercharger brand (company Alpitronic) provide an HTTPS web interface with a shared certificate issued for *.hypercharger.it (expired in May 2022): https://crt.sh/?id=11281533746 The same private key is used in other certificates (all expired): https://crt.sh/?spkisha256=c8d3f7b83fdd94b804d0fea58818ce8c5c8f375a88c1e5c178ea0845d83200f4 All devices shared the same certificate. With access to the device itself (or possibly the firmware), it is possible to get access to the private key. While the devices provide firmware update functionality, the firmware files are not publicly available. Given that this is a wildcard certificate, it could've been used to attack connections to any subdomain of hypercharger.it. I informed Alpitronic about this. They told me that they would use individual certificates for future devices. That the same key was used for other hosts was, according to Alpitronic, an internal mistake. As all the affected certificates had already expired, there was nothing to do in terms of revocation and no need to report it to the certificate authority. However, there is an interesting hypothetical question: If this had been discovered while the certificates were still valid, would a CA be obliged to revoke the certificates? What kind of evidence would be sufficient to show a key compromise? [1] https://industrydecarbonization.com/news/insecure-password-allowed-administrative-access-to-electric-vehicle-chargers.html -- Hanno Böck https://hboeck.de/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20231204121255.10e15ec4.hanno%40hboeck.de.
