14 DAY TRIAL // Schneider Electric, maker of many IoT smart building and home management solutions, has issued a security alert regarding one of its products that may allow an attacker to take control of and alter a building's environment and security settings.
The alert in question is for Schneider Electric’s StruxureWare Building Operations line of products, and more specifically, Automation Server, a hardware-based server that is factory programmed with StruxureWare Building Operation software.
The Automation Server is a stand-alone server that comes equipped with all kinds of modules and sensors, fit for deployment in small to medium companies.
The hardware server runs the Automation Server software that gathers telemetry data from local sensors and manages controllers allowing remote administrators to oversee the building's energy, HVAC, lighting, and even fire safety settings.
Hard-coded admin credentials allowed anyone access to the server
Independent security researcher Karn Ganeshen has discovered that the Automation Server software 1.7.0 and prior contained hard-coded credentials that could be leveraged by unskilled attackers to gain control of stand-alone servers installed in the headquarters of companies.
The attack could be carried out from a remote location and did not require any advanced technical skills to execute. Once the attacker had access to the device, they could have used their control over the server to disable the energy supply to a building, cutting off the alarm system, and facilitate break-ins.
Additionally, the researcher has also discovered that, by using these default hard-coded credentials, the attacker could also circumvent the (Linux) operating system's user access controls and execute malicious code on the server.
Both issues are now fixed
To address the issue, at the end of January, Schneider Electric released version 1.7.1 of their Automation Server software that forces all users to change the default password when installing the server.
"The user is no longer allowed to operate the system with default credentials and the minimal 'msh' shell can no longer be circumvented," a Schneider Electric representative said in the company's security advisory, also tracked via the CVE-2016-2278 identifier.
Last September, a similar issue affected another Schneider Electric product, the StruxureWare Building Expert home management system, which featured a Web dashboard that exposed credentials in clear text.