Hello,
I wanted to share an incident with shared certificates and keys on EV
charger devices. I discovered this while investigating another security
issue. (The devices were shipped with default credentials for HTTP
authentication, see [1].)
Devices of the Hypercharger brand (company Alpitronic) provide an HTTPS
web interface with a shared certificate issued for *.
hypercharger.it
(expired in May 2022):
https://crt.sh/?id=11281533746
The same private key is used in other certificates (all expired):
https://crt.sh/?spkisha256=c8d3f7b83fdd94b804d0fea58818ce8c5c8f375a88c1e5c178ea0845d83200f4
All devices shared the same certificate. With access to the device
itself (or possibly the firmware), it is possible to get access to the
private key. While the devices provide firmware update functionality,
the firmware files are not publicly available.
Given that this is a wildcard certificate, it could've been used to
attack connections to any subdomain of
hypercharger.it.
I informed Alpitronic about this. They told me that they would use
individual certificates for future devices. That the same key was used
for other hosts was, according to Alpitronic, an internal mistake.
As all the affected certificates had already expired, there was nothing
to do in terms of revocation and no need to report it to the
certificate authority.
However, there is an interesting hypothetical question: If this had
been discovered while the certificates were still valid, would a CA be
obliged to revoke the certificates? What kind of evidence would be
sufficient to show a key compromise?
[1]
https://industrydecarbonization.com/news/insecure-password-allowed-administrative-access-to-electric-vehicle-chargers.html
--
Hanno Böck
https://hboeck.de/