Powerlogic/Schneider Electric IONXXXX series – Multiple security issues
The following IONXXXX series power meter versions are affected:
- ION73XX series,
- ION75XX series,
- ION76XX series,
- ION8650 series,
- ION8800 series, and
- PM5XXX series.
For example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274
Used in enterprise energy management applications such as feeder monitoring and sub-metering, ION7300 Series meters offer unmatched value, functionality, and ease of use. ION7300 Series meters interface to PowerLogic StrxureWare software or other automation systems to give all users fast information sharing and analysis.
ION7300 Series meters are an ideal replacement for analogue meters, with a multitude of power and energy measurements, analogue and digital I/O, communication ports, and industry-standard protocols. The ION7330 meter has on-board data storage, emails of logged data, and an optional modem. The ION7350 meter is further augmented by more sophisticated power quality analysis, alarms and a call-back-on-alarm feature.
Rebranded or used as is, by different organizations:
Universidad Nacional Autonoma de Mexico
Avon Old Farms School
University of Pennsylvania
City of Glenwood Springs, Electric Department
University of California, Santa Cruz
City of Thomasville Utilities
City Of Hartford
AT&T Internet Services
Comcast Business Communications
Reported to vendor – May 2016
– vendor team confirmed the issues in multiple models, & vendor poc ceased communication later.
Reported to ICS-CERT – July 2016
Advisory published Nov 2016
HTTP Web Management portal
Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage Disturbances.
No access control – by default no Authentication is configured, to access device’s web management portal.
An unauthorized user can access the device management portal and make config changes. This can further be exploited easily at a mass scale, with scripting, and submitting device configuration changes via a specific POST request.
I suspect it may also be possible to cause denial of service on these devices, as well as additional devices – which directly or indirectly accept / send data to/from these meters – by submitting varying amounts of invalid / junk data.
Vulnerable to Cross-Site Request Forgery
There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.
Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device specifically modifying parameter configurations – voltage modes, polarity, voltage units, current units, interval values -, and submitting configuration changes to meter.
Front Panel security (Physical)
Weak Credential Management – Default meter password is factory-set to 00000 – mandatory default password change is not enforced.
Front panel meter security lets you configure the meter through the front panel using a meter password.
Front panel meter security is enabled by default on all ION7300 series meters; all configuration functions in the front panel are password‐protected.
The password is factory‐set to ->
Weak Credentials Management
– Default accounts – different models come with corresponding login creds – documented in the powerlogic admin guide – http://www.powerlogic.com/literature/70072-0102-05.pdf
– Application does not enforce a mandatory default password change
For example, for ION7300, default creds are:
User - 7300
Password – 0 (<— zero)