Vendor: Besen
URL: https://www.besen-group.com/home-ev-charging-station/
Product: EV Charging Station
Main Model: BS20 EV Charger
Other potential OEM brands from our research: IEVISION, LECTRON, MORECEVSE, PRIMECOM, XUNDAO, MOREC, OCULAR
A weak authentication vulnerability exists in the Besen Home EV Charging Station. The device ships with a shared default (common) password and enforces a fixed 6-digit numeric password format, limiting the keyspace to 1,000,000 possible combinations. This significantly reduces resistance to brute-force attacks. Additionally, the Bluetooth Low Energy (BLE) authentication handshake can be captured and subjected to offline brute-force cracking, enabling attackers to recover credentials without further interaction with the device.
Successful exploitation may allow unauthorized access and control of the charging station.
The Besen Home EV Charging Station exposes user credentials in plaintext over UDP and also BLE. Operations such as password change reveals both old and new passwords in plaintext:
The plaintext password is also observed to be frequently broadcasted via UDP, making them observable to any attacker on the same local network.
Successful exploitation may lead to unauthorized access and control of the device.
The mobile app does not validate firmware version responses during update checks. An attacker can intercept and modify this response to display an arbitrary “newer” version, enabling the upgrade button even when the device is up to date. This allows UI spoofing and misleading update prompts.
|
|
The device lacks robust validation of OTA firmware updates. Although some built-in safeguards and validation checks exist, they can be bypassed. An attacker can spoof the update server and deliver malicious firmware, which the device may accept as legitimate. This could enable full device compromise and manipulation of charging behavior.
Commands between the mobile app and EV charger (via BLE or Wi-Fi) are transmitted without encryption or integrity protection.
An attacker can intercept, modify, and replay UDP packets to manipulate charging behavior, including altering duration, current, power, or start/stop states without authorization.
These vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.