A security vulnerability in the Schneider Electric ION and PowerLogic power meters has been disclosed: They transmit a user ID and password in plaintext with every message.
The vulnerability tracked as CVE-2022-46680 with a CVSS score of 8.8, the bug would allow an attacker with passive interception capabilities to obtain these credentials, authenticate to the ION/TCP engineering interface, and change configuration settings or potentially modify firmware.
This vulnerability is one of three announced, the other two being denial-of-service (DoS) vulnerabilities in WAGO 740 controllers. Both of the DoS issues are given a severity rating of 4.9.
Schneider says that the ION Protocol was created over 30 years ago to bring sophisticated data exchange to digital power meters, and as cybersecurity became a concern, the protocol was enhanced with support for authentication
The research noted that this showcases that there’s still a lack of fundamental understanding of security-by-design by OT vendors, with recurring design issues that demonstrate a lack of understanding of basic security control design, such as plaintext and/or hardcoded credentials, client-side authentication, stateful control on stateless protocols, missing critical steps in authentication, broken algorithms, and faulty implementations.
Forescout used the release of these new vulnerabilities to call on vendors to improve their security testing procedures, and it said products and protocols must remain backward compatible with legacy designs.