14 DAY TRIAL // Schneider Electric has just patched a security issue (CVE-2015-3962) for its StruxureWare Building Expert home management system which leaked user credentials in clear text.
Schneider Electric is one of the first companies that provided a centralized system for managing IoT homes. This is the StruxureWare Building Expert, a platform which allows building administrators to control various facets of their environments, like heating, ventilation, air conditioning, electrical power, and lighting.
This is achieved via a series of remotely controlled sensors, which building administrators can manage via a Web-accessible dashboard, helping them cut down energy consumption in a company's headquarters, or in larger, private homes.
The system is rarely seen in smaller homes, being widely used for large buildings housing one or more businesses.
In theory, the StruxureWare Building Expert system is the definition of an IoT product, allowing home users full control over their regular home functions, using an Internet connection to do so.
Login credentials were transmitted without encryption
According to a recent company statement, independent security researcher Artyom Kurbatov, has informed them of a security flaw in their StruxureWare Building Expert software which exposes the credentials used in managing the management dashboard.
Citing the security disclosure's CERT entry, attackers can intercept communications between StruxureWare Building Expert server and client components, and can gain access to a user's login credentials, which are transmitted unencrypted, in clear text.
Schneider Electric has not reported any attacks based on this vulnerability, and Mr. Kurbatov says that "impact to individual organizations depends on many factors that are unique to each organization."
All StruxureWare Building Expert multi-purpose management devices (MPM) versions prior to 2.15 are affected, but Schneider Electric has already provided firmware updates which will fix this issue.
Earlier this year, Schneider patched several products for similar security-related issues, which included its Wonderware System Platform, SoMove, SoMove Lite, Unity Pro, and SoMachine software packages.
