DIVD-2024-00035 - 17 vulnerabilities in Iocharger devices

Our reference DIVD-2024-00035
Case lead Frank Breedijk
Author
Researcher(s)
CVE(s)
Products
  • Iocharger Home
  • Iocharger Pedestal
  • All other Iocharger AC models, including those sold as white label solutions under a different brand name
Versions
  • Firmware below version 25010801
Recommendation Do not expose your Iocharger equipment to untrusted networks (e.g. the internet or a visitor network). If internet connectivity is needed, place the device behind a NAT gateway and block all incoming traffic. Change the passwords of the device if these have not been changed yet.
Patch status Firmware version 24120701 fixes 13 vulnerabilities, version 25010801 fixes 3 more. Firmware is available via distributors of Iocharger proucts.
Status Open
Last modified 09 Jan 2025 09:29 CET

Summary

Security researcher Wilco van Beijnum assisted by DIVD researcher Harm van den Brink has found 17 vulnerabilities in Iocharger AC products, which alone or in combination can lead to a full device compromise.

Iocharger has fixed the following 16 vulnerabilities:

Although all attacks are authenticated, an attacker that is in possession of a device or firmware image is able to extract all information needed to execute these attacks on other devices. Successful exploitation will give an attacker the ability to take full control over any device it can gain access to, either remotely via the internet, by being on the same (visitor) network as the charger.

The vendor reports that firmware version 24120701 fixes 13 of these vulnerabilities, and version 25010801 which fixes another 3. One vulnerability is currently still being fixed by the vendor.

What you can do

The vulnerabilities have been fixed in firmware version 24120701, and 25010801 which are applicable to all AC Chargers manufactured by Iocharger. Iocharger does not have a website where firmware can be downloaded or where it publishes release notes or security bulletins. Instead Iocharger has made their distributor(s) aware that firmware updates are available that fix security findings, and has urged them to install it on customers’ hardware. If as an owner you have not been contacted by your distributor/vendor we advice you to reach out to them for updated firmware. If you cannot get support from your vendor/distributor you can contact Iocharger directly on sales@iocharger.com to get updated firmware.

Because Iocharger uses weak default passwords that can relatively easily be extracted from the firmware, we also advice you change the passwords of all accounts immediately.

Additionally we recommend that you to make sure that any Iocharger device is not reachable from either the internet or any other untrusted network (e.g. a visitor network).

What we are doing

DIVD has responsibly disclosed 17 vulnerabilities to Iocharger, who have fixed 16 of these vulnerabilities and are still working on fixing the last one. Updated firmware is made available to their distributors. Now that these vulnerabilities have been published, we are scanning the internet to identify these devices and warn owners or network administrators that these devices are vulnerable and need to be updated via their suppliers.

We will continue to work with Iocharger to get the remaining vulnerabilities fixed.

Timeline

Date Description
13 Aug 2024 Vulnerabilities reported by Wilco van Beijnum and Harm van den Brink to CSIRT
15 Aug 2024 Vulnerabilities reported to and received by the vendor
15 Aug 2024-
15 Aug 2024		 Time to acknowledge
15 Aug 2024-
07 Dec 2024		 Time to patch 13 vulns
15 Aug 2024-
08 Jan 2025		 Time to patch 3 vulns
15 Aug 2024
?		 Time to patch last vulnerability
02 Sep 2024 Vendor reports that the issues were found before, fix is planned for the near future.’
27 Sep 2024 Vendor reports that patch has been developed more time to test is needed.
07 Dec 2024 Firmware 24120701 created to address security findings.
18 Dec 2024 Binary analysis of firmware 24120701 done. 4 vulnerabilities unfixed. Reported to vendor.
08 Jan 2025 Firmware 25010801 release fixing 3 findings.
08 Jan 2025 Binary analysis of firmware 25010801 done. All 3 vulnerabilities fixed. One vulnerability remaining
09 Jan 2025 Limited disclosure of 16 vulnerabilities
15 Aug 2024-
09 Jan 2025		 Time to limited disclosure 16 vulnerabilities
01 Jun 2025 Approximate date for full disclosure
15 Aug 2024
?		 Time to full disclosure
gantt title DIVD-2024-00035 - 17 vulnerabilities in Iocharger devices dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00035 - 17 vulnerabilities in Iocharger devices (still open) :2024-08-13, 2025-01-16 section Events Vulnerabilities reported by Wilco van Beijnum and Harm van den Brink to CSIRT : milestone, 2024-08-13, 0d Vulnerabilities reported to and received by the vendor : milestone, 2024-08-15, 0d Time to acknowledge (0 days) : 2024-08-15, 2024-08-15 Time to patch 13 vulns (114 days) : 2024-08-15, 2024-12-07 Time to patch 3 vulns (146 days) : 2024-08-15, 2025-01-08 Time to patch last vulnerability (?d): 2024-08-15, 2025-01-16 Vendor reports that the issues were found before, fix is planned for the near future.’ : milestone, 2024-09-02, 0d Vendor reports that patch has been developed more time to test is needed. : milestone, 2024-09-27, 0d Firmware 24120701 created to address security findings. : milestone, 2024-12-07, 0d Binary analysis of firmware 24120701 done. 4 vulnerabilities unfixed. Reported to vendor. : milestone, 2024-12-18, 0d Firmware 25010801 release fixing 3 findings. : milestone, 2025-01-08, 0d Binary analysis of firmware 25010801 done. All 3 vulnerabilities fixed. One vulnerability remaining : milestone, 2025-01-08, 0d Limited disclosure of 16 vulnerabilities : milestone, 2025-01-09, 0d Time to limited disclosure 16 vulnerabilities (147 days) : 2024-08-15, 2025-01-09 Approximate date for full disclosure : milestone, 2025-06-01, 0d Time to full disclosure (?d): 2024-08-15, 2025-01-16

More information