*Powerlogic/Schneider Electric IONXXXX series Smart Meters - Multiple
security issues*

*Impacted devices:*

*ION7300 and potentially all IONXXXX models (based off of Powerlogic) *For
example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274
http://www.schneider-electric.com/download/hk/en/details/2254511-ETH-7330-V274/?reference=ETH7330V274


*About*
Power & Energy Monitoring System
Compact energy and power quality meters for feeders or critical loads

The PowerLogic ION7300 series meters help you:
aC/ reduce energy and operations costs
aC/ improve power quality, reliability and uptime
aC/ optimize equipment use
for optimal management of your electrical installation and greater
productivity

Used in enterprise energy management applications such as feeder monitoring
and sub-metering, ION7300 Series meters offer unmatched value,
functionality, and ease of use. ION7300 Series meters interface to
PowerLogic StrxureWare software or other automation systems to give all
users fast information sharing and analysis.

ION7300 Series meters are an ideal replacement for analogue meters, with a
multitude of power and energy measurements, analogue and digital I/O,
communication ports, and industry-standard protocols. The ION7330 meter has
on-board data storage, emails of logged data, and an optional modem. The
ION7350 meter is further augmented by more sophisticated power quality
analysis, alarms and a call-back-on-alarm feature.

*Applications*
- Power monitoring and control operations.
- Power quality analysis.
- Cost allocation and billing.
- Demand and power factor control.
- Load studies and circuit optimisation.
- Equipment monitoring and control.
- Preventive maintenance.

*Rebranded or used as is, by different organizations *

*Canada*
Telus Mobility
Futureway Communications
Radiant Communications
Acadia University
Loyalist College
Seneca College
TBayTel

*Mexico*
Universidad Nacional Autonoma de Mexico

*USA*
Frontier Communications
Cox Communications
Avon Old Farms School
University of Pennsylvania
Princeton University
City of Glenwood Springs, Electric Department
University of California, Santa Cruz
City of Thomasville Utilities
Comcast Cable
Verizon Wireless
City Of Hartford
AT&T Internet Services
CNS-Internet
Comcast Business Communications
AT&T U-verse

*Vulnerabilities *

*HTTP Web Management portal *

Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage
Disturbances.

*No access control* a by default no Authentication is configured, to access
deviceas web management portal.

An unauthorized user can access the device management portal and make
config changes. This can further be exploited easily at a mass scale, with
scripting, and submitting device configuration changes via a specific POST
request.

I suspect it may also be possible to cause denial of service to these
devices, as well as additional devices - which directly or indirectly
accept / send data to/from these meters - by submitting varying amounts of
invalid / junk data.

*Vulnerable to Cross-Site Request Forgery *

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

Successful exploitation of these vulnerabilities allow silent execution of
unauthorized actions on the device specifically modifying parameter
configurations a voltage modes, polarity, voltage units, current units,
interval values -, and submitting configuration changes to meter.

*Front Panel security (Physical) *

*Weak Credential Management* a Default meter password is factory-set to
00000 a mandatory default password change is not enforced.

Front panel meter security lets you configure the meter through the front
panel using a meter password.

Front panel meter security is enabled by default on all ION7300 series
meters; all configuration functions in the front panel are
passwordaprotected.

The password is factoryaset to 0 (zero).

*Telnet *


*Weak Credentials Management *
- *Default accounts* - different models come with corresponding login creds
- documented in the powerlogic admin guide -
http://www.powerlogic.com/literature/70072-0102-05.pdf
- Application does not enforce a mandatory default password change

For example, for ION7300, default creds are:
User - 7300
Password a 0 (<a zero)

+++++