Besen BS20 EV Charger Weak Auth, Plaintext Credentials & Unauthenticated OTA Vulnerabilities

Besen Home EV Charging Station Security Vulnerability Summary Vulnerability Overview The Besen Home EV Charging Station (Model BS20) contains multiple critical security vulnerabilities affecting authentication mechanisms, data transmission, firmware updates, and command control. Impact Scope Affected Devices: Besen Home EV Charging Station (BS20 EV Charger) Other Potential OEM Brands: IEVISION, LECTRON, MORECEVSE, PRIMECOM, XUNDIAO, MOREC, OCULAR Communication Protocols: BLE (Bluetooth Low Energy), UDP Specific Vulnerability Details 1. Weak Authentication Mechanism (CVE-2026-9394) Issue: The device uses a shared default password with a forced 6-digit numeric format. Impact: The key space is limited to only 1,000,000 combinations, and the BLE authentication handshake can be captured and brute-forced offline. Consequence: Credentials can be recovered without further interaction, potentially leading to unauthorized access and control. 2. Plaintext Credential Exposure (CVE-2026-9395) Issue: User credentials are transmitted in plaintext via UDP and BLE. Impact: Both old and new passwords are exposed during password changes, and passwords are frequently broadcast over UDP. Consequence: Attackers on the same local network can observe and obtain credentials, leading to unauthorized access. 3. Firmware Version Check Manipulation and UI Spoofing (CVE-2026-9396) Issue: The mobile application does not validate firmware version responses. Impact: Attackers can intercept and modify responses to display arbitrary "updated" versions. Consequence: Even if the device is already up-to-date, an upgrade button will still be displayed, allowing UI spoofing and misleading update prompts. 4. Unauthorized Firmware Installation via Forged OTA Updates (CVE-2026-9397) Issue: The device lacks strict verification for OTA firmware updates. Impact: Built-in security measures can be bypassed, allowing attackers to forge update servers and deliver malicious firmware. Consequence: The device may accept malicious firmware, leading to complete device control and manipulation of charging behavior. 5. Unauthorized Charger Command Tampering (CVE-2026-9398) Issue: Commands between the mobile application and the EV charger are transmitted via BLE or Wi-Fi without encryption or integrity protection. Impact: Attackers can intercept, modify, and replay UDP packets. Consequence: Charging behavior can be manipulated, including unauthorized changes to duration, current, power, or start/stop status. Remediation Measures Implement strong authentication mechanisms and avoid using default passwords. Encrypt all communication data. Verify the authenticity of firmware version responses. Strengthen verification mechanisms for OTA firmware updates. Implement encryption and integrity protection for command transmission. Responsible Disclosure These vulnerabilities have been reported to Besen, and as of April 2026, they have confirmed that they are under review.

Goal Reached Thanks to every supporter — we hit 100%!

Besen BS20 EV Charger Weak Auth, Plaintext Credentials & Unauthenticated OTA Vulnerabilities

More from this source