Accessing the administration interface of numerous internet-connected Hypercharger charging stations was shockingly easy—simply by using the default login credentials: username ‘admin’ and password ‘admin123.’ These charging stations, bearing the brand name Hypercharger, are manufactured by the Italian company Alpitronic.
In a rather unexpected turn, Annika Wickert, Stefan Klöpping, and Jan Gilla, all working within the IT industry, stumbled upon a publicly available manual for Hypercharger devices.
Surprisingly, this manual contained the exact login details needed to access the web interface. Their curiosity led them to explore these findings using the Shodan search engine, uncovering a multitude of connected Hyperchargers.
What’s alarming is that the default credentials, despite the manual advising users to alter them, continued to grant access to several devices. Tests conducted later confirmed that roughly a third of the discovered charging stations could be accessed using these default credentials.
The web interface offered more control than expected, allowing for adjustments in device settings, including payment mechanisms and electrical configurations. However, it wasn’t all concerning; while payment data was accessible on some devices, sensitive information like credit card numbers was only shown partially, with names or further personal details not revealed. Alpitronic clarified that no data relevant to GDPR (General Data Protection Regulation) was at risk.
Moreover, there was a troubling uniformity in security—the web interface operated on an HTTPS protocol with an expired certificate. This shared certificate, used for all devices, was issued for the hostname.
hypertronic.it and certified by the authority Globalsign. What’s even more concerning is that the private key of this certificate was utilized in other certificates as well.
This raised serious concerns as owners or individuals with access to the firmware might easily extract the private key. Such a breach could compromise connections to related domains and subdomains through Man-in-the-Middle attacks. With its wildcard nature, the certificate was valid for all subdomains of hypercharger.it, posing a widespread security risk.
