Zero Day Initiative | Blog
Follow
Reviewing the Attack Surface of the Autel MaxiCharger: Part Two
The Autel MaxiCharger's attack surface has been analyzed to provide inspiration for vulnerability research. The charger's software versions at the time of writing included Autel Charge app v3.0.7, Autel Config app v2.1.0, and various Autel MaxiCharger modules. The Autel Charge app allows users to define charging schedules, load balance, and provide Wi-Fi credentials, among other features. Upon loading the app on a rooted Android device, a superuser request is seen, indicating anti-reversing measures. Network traffic analysis revealed that the charger sends DNS requests for Autel-related infrastructure and establishes a TLS session with the server. The charger periodically sends log data to the Autel server, which responds with JSON data. The charger also downloads firmware updates over HTTP. After updating the firmware, the charger only uses HTTPS for communication.Port scanning the charger over Wi-Fi showed no open TCP or UDP ports, but UDP ports 6000 and 6666 appear to be listening over the Ethernet interface. The charger's Bluetooth Low Energy services offer 14 characteristics, which are used by the Autel Charge app to communicate with the charger. The main microcontroller's firmware can be acquired by sniffing the charger update process or by reversing the app to figure out the download URLs. The firmware of the ESP32 WROOM 32D module can be dumped using the standard esptool.py from Espressif. Other potential attack surfaces include the undocumented USB C port, the SIM card tray, and the RFID reader.