Secolve throws light on vulnerabilities found in Schneider equipment used in critical environments

OT cybersecurity firm Secolve has identified and reported vulnerabilities in Schneider Electric’s Acti9 PowerTag Link Csmart PLC and the EcoStructure Facility Expert software and applications. Based on its research, the devices, applications, and cloud infrastructure would have exposed sensitive user information and allowed commands to be run on devices without proper authorization or authentication.

“The two most impactful findings included hard-coded credentials that allowed us to download full snapshots of any other PowerTag Linksmart gateway device in the world, and poor implementation of access controls on the physical device allowed us to issue arbitrary commands from the same network segment,” Secolve wrote in a blog post on Wednesday. 

“We were able to identify, assess, and report these issues before they could be exploited in the real world, ensuring that our client could upgrade their facilities with safety and security. Vulnerability disclosure was coordinated with Schneider,” the post added.

The Acti9 PowerTag Link C is a gateway device that allows business owners to monitor and control connected devices from their smartphones. These devices can include temperature sensors for fridges and cold rooms, power meters for cooking equipment, light switches, ventilation switches, and main power breakers. While convenient for business owners and managers, exposing these devices to the Internet carries cybersecurity risks.

Secolve said that poor programming practices can often lead to serious security holes. “Mobile applications are widely available to the public and easy to reverse engineer, as applications using Java, which the Android runtime runs on, are easily decompiled. Sensitive information such as server login credentials should never be left in any public facing applications,” it added.

In this case, Secolve’s inspection showed several login credentials for Schneider web services were hardcoded into the application. “While these credentials were theoretically protected by encryption, both the full decryption method and the encryption key were available and reversible, rendering the encryption pointless. Hardcoding encryption keys or credentials in an application is bad practice, as anyone with access to the application and the ability to reverse engineer it would essentially have access to anything the key is supposed to protect.”

Using these hardcoded credentials, Secolve was able to log onto Schneider’s customer care center website and view details about each supported Schneider Electrical smart device in the world. “From here, we were able to download full data snapshots which included the device configuration, firmware version, physical location, meter readings, sensor logs, and name and email address of the device owner,” the post added.

Initially, Secolve believed that the PowerTag Link did not feature any sort of web server and could only be controlled by the application as stated by available documentation, but further investigation of the application and the setup procedure revealed that devices could receive commands by sending HTTP requests to certain endpoints. These HTTP endpoints were accessible by other devices on the same network, requiring only HTTP basic authentication to use.

“Theoretically and according to the documentation, a physical button press would be required to generate a one-time gateway key which would be used to log into the device, but testing showed that this was not actually required,” the Secolve post said. “Devices could be controlled using credentials which could be predictably generated using only the MAC address of the device, and the process for generating credentials was again available from the mobile application.” 

Through this, Secolve was able to access any endpoint, including configuration changes, firmware upgrades, and other functionality, which could render the device inoperable, causing a Denial-of-Service scenario. “Additionally, we uploaded a modified firmware package to the device, which could allow attackers to take full control of the device,” it added.

Schneider Electric also issued an advisory and advised that users of the Acti9 PowerTag Link C(A9XELC10-A) v1.7.5 and prior must use firmware v2.14.0 which includes a fix for this vulnerability. While firmware updates are performed automatically, a reboot is automatically performed after the firmware update. The firmware version information is available by using the FESB mobile application.

Last week, the U.S. administration issued a memorandum that outlines the cross-agency cyber investment priorities of U.S. President Joe Biden’s administration. It calls upon federal civilian executive branch (FCEB) agencies to make investments across three cyber priorities, including improving the defense and resilience of government networks, deepening cross-sector collaboration in defense of critical infrastructure, and boosting the foundations of a digitally-enabled future.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.