September 5, 2016 Karn Ganeshen

[ICS] Multiple vulnerabilities – Powerlogic/Schneider Electric IONXXXX series Smart Meters

Powerlogic/Schneider Electric IONXXXX series – Multiple security issues

Impacted devices:

ION7300 and potentially all IONXXXX models (based off of Powerlogic)

The following IONXXXX series power meter versions are affected:

  • ION73XX series,
  • ION75XX series,
  • ION76XX series,
  • ION8650 series,
  • ION8800 series, and
  • PM5XXX series.

For example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274

Power & Energy Monitoring System
Compact energy and power quality meters for feeders or critical loads
The PowerLogic ION7300 series meters help you:
• reduce energy and operations costs
• improve power quality, reliability and uptime
• optimize equipment use

for optimal management of your electrical installation and greater productivity

Used in enterprise energy management applications such as feeder monitoring and sub-metering, ION7300 Series meters offer unmatched value, functionality, and ease of use. ION7300 Series meters interface to PowerLogic StrxureWare software or other automation systems to give all users fast information sharing and analysis.

ION7300 Series meters are an ideal replacement for analogue meters, with a multitude of power and energy measurements, analogue and digital I/O, communication ports, and industry-standard protocols. The ION7330 meter has on-board data storage, emails of logged data, and an optional modem. The ION7350 meter is further augmented by more sophisticated power quality analysis, alarms and a call-back-on-alarm feature.


– Power monitoring and control operations.
– Power quality analysis.
– Cost allocation and billing.
– Demand and power factor control.
– Load studies and circuit optimisation.
– Equipment monitoring and control.
– Preventive maintenance.

Rebranded or used as is, by different organizations:

Reported to vendor – May 2016
– vendor team confirmed the issues in multiple models, & vendor poc ceased communication later.

Reported to ICS-CERT – July 2016
Advisory published Nov 2016



HTTP Web Management portal
Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage Disturbances.

No access control – by default no Authentication is configured, to access device’s web management portal.

An unauthorized user can access the device management portal and make config changes. This can further be exploited easily at a mass scale, with scripting, and submitting device configuration changes via a specific POST request.

I suspect it may also be possible to cause denial of service on these devices, as well as additional devices – which directly or indirectly accept / send data to/from these meters – by submitting varying amounts of invalid / junk data.

Vulnerable to Cross-Site Request Forgery

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.

Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device specifically modifying parameter configurations – voltage modes, polarity, voltage units, current units, interval values -, and submitting configuration changes to meter.

Front Panel security (Physical)

Weak Credential Management – Default meter password is factory-set to 00000 – mandatory default password change is not enforced.

Front panel meter security lets you configure the meter through the front panel using a meter password.

Front panel meter security is enabled by default on all ION7300 series meters; all configuration functions in the front panel are password‐protected.

The password is factory‐set to ->


Weak Credentials Management
– Default accounts – different models come with corresponding login creds – documented in the powerlogic admin guide –
Application does not enforce a mandatory default password change

For example, for ION7300, default creds are:

Tagged: , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *