Latest YouTube Video

Thursday, September 8, 2016

[FD] Multiple vulnerabilities - Powerlogic/Schneider Electric IONXXXX series Smart Meters

*Powerlogic/Schneider Electric IONXXXX series Smart Meters - Multiple security issues* *Impacted devices:* *ION7300 and potentially all IONXXXX models (based off of Powerlogic) *For example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274 http://ift.tt/2cJ3wyS *About* Power & Energy Monitoring System Compact energy and power quality meters for feeders or critical loads The PowerLogic ION7300 series meters help you: • reduce energy and operations costs • improve power quality, reliability and uptime • optimize equipment use for optimal management of your electrical installation and greater productivity Used in enterprise energy management applications such as feeder monitoring and sub-metering, ION7300 Series meters offer unmatched value, functionality, and ease of use. ION7300 Series meters interface to PowerLogic StrxureWare software or other automation systems to give all users fast information sharing and analysis. ION7300 Series meters are an ideal replacement for analogue meters, with a multitude of power and energy measurements, analogue and digital I/O, communication ports, and industry-standard protocols. The ION7330 meter has on-board data storage, emails of logged data, and an optional modem. The ION7350 meter is further augmented by more sophisticated power quality analysis, alarms and a call-back-on-alarm feature. *Applications* - Power monitoring and control operations. - Power quality analysis. - Cost allocation and billing. - Demand and power factor control. - Load studies and circuit optimisation. - Equipment monitoring and control. - Preventive maintenance. *Rebranded or used as is, by different organizations * *Canada* Telus Mobility Futureway Communications Radiant Communications Acadia University Loyalist College Seneca College TBayTel *Mexico* Universidad Nacional Autonoma de Mexico *USA* Frontier Communications Cox Communications Avon Old Farms School University of Pennsylvania Princeton University City of Glenwood Springs, Electric Department University of California, Santa Cruz City of Thomasville Utilities Comcast Cable Verizon Wireless City Of Hartford AT&T Internet Services CNS-Internet Comcast Business Communications AT&T U-verse *Vulnerabilities * *HTTP Web Management portal * Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage Disturbances. *No access control* – by default no Authentication is configured, to access device’s web management portal. An unauthorized user can access the device management portal and make config changes. This can further be exploited easily at a mass scale, with scripting, and submitting device configuration changes via a specific POST request. I suspect it may also be possible to cause denial of service to these devices, as well as additional devices - which directly or indirectly accept / send data to/from these meters - by submitting varying amounts of invalid / junk data. *Vulnerable to Cross-Site Request Forgery * There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device specifically modifying parameter configurations – voltage modes, polarity, voltage units, current units, interval values -, and submitting configuration changes to meter. *Front Panel security (Physical) * *Weak Credential Management* – Default meter password is factory-set to 00000 – mandatory default password change is not enforced. Front panel meter security lets you configure the meter through the front panel using a meter password. Front panel meter security is enabled by default on all ION7300 series meters; all configuration functions in the front panel are password‐protected. The password is factory‐set to 0 (zero). *Telnet * *Weak Credentials Management * - *Default accounts* - different models come with corresponding login creds - documented in the powerlogic admin guide - http://ift.tt/2cakzEW - Application does not enforce a mandatory default password change For example, for ION7300, default creds are: User - 7300 Password – 0 (<— zero) +++++

Source: Gmail -> IFTTT-> Blogger

No comments: