Flutterby™! : Smart Grid Security

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Smart Grid Security

2012-11-19 10:07:38.856092+00 by meuon 7 comments

Somewhere else in the world I just logged into a smart grid AMI system, that can disconnect (turn off) a few thousand people with the web login of: admin and a password of: 123456 the published default password..

The system has been up for > 1 month and has real customers on it. The meter manufacturer has an engineer on site that barely speaks engrish and is afraid to change the admin password because other people at the manufacturer would not know how to login...

He'll hate the 20 character "line noise" password we just set when he figures out we reset the password. [evil grin]

comments in ascending chronological order (reverse):

#Comment Re: made: 2012-11-19 11:24:50.098531+00 by: meuon [edit history]

System Soap API login (plain text only) has the following fields:

<s:element minOccurs="0" maxOccurs="1" name="UserID" type="s:string"/> <s:element minOccurs="0" maxOccurs="1" name="PassWord" type="s:string"/><s:element minOccurs="0" maxOccurs="1" name="UserType" type="s:string"/>

Changing the value of 'UserType' to 'Admin' allows any valid user to use Admin functions, including changing other users passwords.

Auth 101; You get the users parameters fron the credentials, you don't set them from what the user tells you. Just cause you can point, drag and click a Visual Studio interface does not mean you should.

I've pointed their "Software Engineer" to this page.. I'm hoping to humiliate them into changing their ways. The good news: The utility and I hate this meter manufacturer because they stuck us and a utility bad with faulty meters (parts were not even soldered in). So I have nothing to lose by outing them, and they know it. The lowest bidder RFP process sucketh.

#Comment Re: made: 2012-11-19 14:41:03.242392+00 by: meuon [edit history]

Setting UserID to: $LOCAL bypasses the need for a password. WTF?!?

#Comment Re: made: 2012-11-19 15:04:16.514732+00 by: lexus6908

Some how i have a very good idea who these guys are, but this is beyond stupidity......

#Comment Re: made: 2012-11-20 08:02:29.350739+00 by: meuon [edit history]

Laughing. No Comment. Hi Lexus6908!

#Comment Re: made: 2012-11-20 16:29:40.570398+00 by: lexus6908

I rest my case meuon!!!!

#Comment Re: made: 2012-11-21 14:17:04.607397+00 by: meuon [edit history]

I'm having so much fun with this system. Really really I am:

Two soap calls, nearly identical. In one case the server returns numeric result codes for if it worked or not. 0 = Success says the 2 pages of documentation. In the other case it returns the text string: "Successed". Even if it fails.

#Comment Re: made: 2012-11-21 18:20:32.17092+00 by: lexus6908

Glad you having funn bro......