This blog post will highlight some of the different types of malicious groups that target Critical Infrastructure and examples of such attacks occurring. Critical Infrastructure is a term used by governments to describe assets used by the public that are essential for the functioning of a society and economy, and infrastructure. These public assets… Continue reading Critical Infrastructure’s Most Notorious Cyber Threat Actor Groups
The Australian government are moving at speed and the next phase of the SOCI Act, and the risk management program (RMP), should be finalised in December 2022 after industry consultation. Here’s an overview of the SOCI Act, what’s been passed and what is being worked through. Key takeaways: ▪ SOCI reforms… Continue reading The SOCI Act, where are we now and how can we help?
This blog looks at the Food and Beverage manufacturing industry, what potential attacks could occur within the Food and Beverage manufacturing industry, how organisations within the industry can prevent or minimise the effect of a cyber-attack, and how Industry 4.0 further increases an organisation’s exposure to cyber-attacks. What is Industry 4.0 and why does… Continue reading Cyber-attacks on the Food and Beverage manufacturing industry
This blog examines some examples of the diverse types of cyber-attacks that have occurred in the Ports & Maritime industry. By gaining insights into some of the various impacts across OT & IT we then look at what areas to consider building resilience against such attacks. What are the different types of cyber-attacks that could potentially occur and what are the impacts of these cyber-attacks in the… Continue reading Cyber-attacks on the Ports and Maritime industry
Recently, Secolve assessed the security of Schneider Electrical’s Acti9 PowerTag Link Csmart PLC and the EcoStructure Facility Expert software and applications. We identified and reported vulnerabilities in the devices, applications and cloud infrastructure that would have exposed sensitive user information and allow commands to be run on devices without proper authorisation or authentication.
Schneider Electrical’s Acti9 PowerTag Link C is a gateway device which allows business owners to monitor, and control connected devices from their smartphones. These devices can include temperature sensors for fridges and cold rooms, power meters for cooking equipment, light switches, ventilation switches and even main power breakers. While convenient for business owners and managers, exposing these devices to the wider internet carries cyber security risks.
The two most impactful findings included hard-coded credentials that allowed us to download full snapshots of any otherPowerTag Linksmart gateway device in the world, and poor implementation of access controls on the physical device allowed us to issue arbitrary commands from the same network segment.
Accessing device data from around the world
Poor programming practices can often lead to serious security holes. Mobile applications are widely available to the public and easy to reverse engineer, as applications using Java, which the Android runtime runs on, are easily decompiled. Sensitive information such as server login credentials should never be left in any public facing applications.
In this case, our inspection showed severa llogin credentials for Schneider web services were hardcoded into the application. While these credentials were theoretically protected by encryption, both the full decryption method and the encryption key were available and reversible, rendering the encryption pointless. Hardcoding encryption keys or credentials in an application is bad practice, as anyone with access to the application and the ability to reverse engineer it would essentially have access to anything the key is supposed to protect.
Using these hardcoded credentials, we were able to log onto Schneider’s customer care center website and view details about every supported Schneider Electrical smart device in the world. From here, we were able to download full data snapshots which included the device configuration, firmware version, physical location, meter readings, sensor logs and name and email address of the device owner.
Physical device control
Initially, we believed that the PowerTag Link did not feature any sort of web server and could only be controlled by the application as stated by available documentation, but further investigation of the application and the setup procedure revealed that devices could receive commands by sending HTTP requests to certain endpoints. These HTTP endpoints were accessible by other devices on the same network, requiring only HTTP Basic Authentication to use.
Theoretically and according to the documentation, a physical button press would be required to generate a one-time gateway key which would be used to log into the device, but testing showed that this was not actually required. Devices could be controlled using credentials which could be predictably generated using only the MAC address of the device, and the process for generating credentials was again available from the mobile application. Through this, we were able to access any endpoint, including configuration changes, firmware upgrades and other functionality, which could render the device inoperable, causing a Denial-of-Service scenario. Additionally, we uploaded a modified firmware package to the device, which could allow attackers to take full control of the device.
We were able to identify, assess, and report these issues before they could be exploited in the real world, ensuring that our client could upgrade their facilities with safety and security. Vulnerability disclosure was coordinated with Schneider.
To see Schneider Electrics update see below or click here:
Acti9 PowerTag Link C12 July 2022
Schneider Electric is aware of a vulnerability in its Acti9 PowerTag Link C product.
The Acti9 PowerTag Link C is the simplest and most efficient way to achieve a fully connected panel.
Failure to apply the remediation provided below may risk an improper access control attack, which could result in unauthorized access to other network devices.
Affected Products and Versions
VersionActi9 PowerTag Link C (A9XELC10-A) V1.7.5 and prior
Acti9 PowerTag Link C (A9XELC10-B) V2.12.0 and prior
CVE ID: CVE-2022-34754
CVSS v3.1 Base Score 6.8 | Medium | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HA CWE-269:
Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials.
Acti9 PowerTag Link C(A9XELC10-A) V1.7.5 and prior
Firmware V2.14.0 includes a fix for this vulnerability.
Please note that firmware updates are performed automatically. A reboot is automatically performed after the firmware update. The firmware version information is available by using the FESB mobile applicationContact Schneider Electric’s Customer Care Center if you need assistance. Acti9 PowerTag Link C(A9XELC10-B) V1.7.5 and prior
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial controlvand safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
Acknowledgements Schneider Electric recognizes the following researcher for identifying and helping to coordinate a response to this vulnerability:
• CVE-2022-34754 Petr Novak (Secolve)
Businesses contending with Covid, and the end-of-year rush have had another administrative task added to their to-do list, in the form of the federal government’s new Security Legislation Amendment (Critical Infrastructure) Act 2021. The draft Bill had been expected to pass through Parliament earlier this year. Instead, it has now been split in two, with the less urgent… Continue reading Security of Critical Infrastructure Act (SOCI) reforms: Is your business ready?