Secolve Identifies Vulnerability in Schneider’s Acti9 PowerTag Link C Product
Recently, Secolve assessed the security of Schneider Electrical’s Acti9 PowerTag Link Csmart PLC and the EcoStructure Facility Expert software and applications. We identified and reported vulnerabilities in the devices, applications and cloud infrastructure that would have exposed sensitive user information and allow commands to be run on devices without proper authorisation or authentication.
Schneider Electrical’s Acti9 PowerTag Link C is a gateway device which allows business owners to monitor, and control connected devices from their smartphones. These devices can include temperature sensors for fridges and cold rooms, power meters for cooking equipment, light switches, ventilation switches and even main power breakers. While convenient for business owners and managers, exposing these devices to the wider internet carries cyber security risks.
The two most impactful findings included hard-coded credentials that allowed us to download full snapshots of any otherPowerTag Linksmart gateway device in the world, and poor implementation of access controls on the physical device allowed us to issue arbitrary commands from the same network segment.
Accessing device data from around the world
Poor programming practices can often lead to serious security holes. Mobile applications are widely available to the public and easy to reverse engineer, as applications using Java, which the Android runtime runs on, are easily decompiled. Sensitive information such as server login credentials should never be left in any public facing applications.
In this case, our inspection showed severa llogin credentials for Schneider web services were hardcoded into the application. While these credentials were theoretically protected by encryption, both the full decryption method and the encryption key were available and reversible, rendering the encryption pointless. Hardcoding encryption keys or credentials in an application is bad practice, as anyone with access to the application and the ability to reverse engineer it would essentially have access to anything the key is supposed to protect.
Using these hardcoded credentials, we were able to log onto Schneider’s customer care center website and view details about every supported Schneider Electrical smart device in the world. From here, we were able to download full data snapshots which included the device configuration, firmware version, physical location, meter readings, sensor logs and name and email address of the device owner.
Physical device control
Initially, we believed that the PowerTag Link did not feature any sort of web server and could only be controlled by the application as stated by available documentation, but further investigation of the application and the setup procedure revealed that devices could receive commands by sending HTTP requests to certain endpoints. These HTTP endpoints were accessible by other devices on the same network, requiring only HTTP Basic Authentication to use.
Theoretically and according to the documentation, a physical button press would be required to generate a one-time gateway key which would be used to log into the device, but testing showed that this was not actually required. Devices could be controlled using credentials which could be predictably generated using only the MAC address of the device, and the process for generating credentials was again available from the mobile application. Through this, we were able to access any endpoint, including configuration changes, firmware upgrades and other functionality, which could render the device inoperable, causing a Denial-of-Service scenario. Additionally, we uploaded a modified firmware package to the device, which could allow attackers to take full control of the device.
We were able to identify, assess, and report these issues before they could be exploited in the real world, ensuring that our client could upgrade their facilities with safety and security. Vulnerability disclosure was coordinated with Schneider.
To see Schneider Electrics update see below or click here:
Acti9 PowerTag Link C12 July 2022
Schneider Electric is aware of a vulnerability in its Acti9 PowerTag Link C product.
The Acti9 PowerTag Link C is the simplest and most efficient way to achieve a fully connected panel.
Failure to apply the remediation provided below may risk an improper access control attack, which could result in unauthorized access to other network devices.
Affected Products and Versions
VersionActi9 PowerTag Link C (A9XELC10-A) V1.7.5 and prior
Acti9 PowerTag Link C (A9XELC10-B) V2.12.0 and prior
CVE ID: CVE-2022-34754
CVSS v3.1 Base Score 6.8 | Medium | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HA CWE-269:
Improper Privilege Management vulnerability exists that could allow elevated functionality when guessing credentials.
Acti9 PowerTag Link C(A9XELC10-A) V1.7.5 and prior
Firmware V2.14.0 includes a fix for this vulnerability.
Please note that firmware updates are performed automatically. A reboot is automatically performed after the firmware update. The firmware version information is available by using the FESB mobile applicationContact Schneider Electric’s Customer Care Center if you need assistance. Acti9 PowerTag Link C(A9XELC10-B) V1.7.5 and prior
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial controlvand safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
Acknowledgements Schneider Electric recognizes the following researcher for identifying and helping to coordinate a response to this vulnerability:
• CVE-2022-34754 Petr Novak (Secolve)