Schneider Electric Trio J-Series Radio Encryption
Low RiskICS-CERT ICSA-13-234-01May 25, 2013
Summary
Schneider Electric Trio J-Series Radio (TBURJR900 series) devices in firmware versions 3.6.0 through 3.6.3 use weak encryption for wireless communications. The encryption implementation is susceptible to cryptanalysis or interception attacks, potentially allowing unauthorized parties to intercept, decrypt, and read or forge operational messages between radio-linked equipment. This affects all eight variants of the TBURJR900 radio platform across firmware versions 3.6.0, 3.6.1, 3.6.2, and 3.6.3. No firmware patch is available from Schneider Electric.
What this means
What could happen
Attackers could intercept or decrypt wireless communications from Trio J-Series radio links, potentially gaining unauthorized visibility into or control over remote equipment commands and status data.
Who's at risk
Utilities and energy operators using Schneider Electric Trio J-Series Radio (TBURJR900 series) for remote device communication, particularly those relying on these radios for SCADA, telemetry, or distributed equipment control in electric generation, transmission, or distribution networks.
How it could be exploited
An attacker within RF range of the Trio J-Series radio could intercept wireless transmissions and exploit weak encryption to decrypt operational commands or status messages sent between devices on the radio link.
Prerequisites
- RF line-of-sight or proximity to Trio J-Series radio units
- Ability to receive and process radio signals in the frequency band used by the radio
- No valid credentials or authentication required to receive/intercept RF communications
No patch availableWeak or known encryption (CWE-321)RF-based remote exploitabilityNo authentication required to intercept radio signalsAffects operational technology communications
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
Trio J-Series Radio TBURJR900-00002DH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-01002DH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-05002DH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-06002DH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-00002EH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-01002EH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-05002EH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Trio J-Series Radio TBURJR900-06002EH0: 3.6.0|3.6.1|3.6.2|3.6.33.6.0|3.6.1|3.6.2|3.6.3No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGReview all Trio J-Series radio installations to identify critical control links that depend on this vulnerable radio and assess risk of exposure
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Trio J-Series Radio TBURJR900-00002DH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-01002DH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-05002DH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-06002DH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-00002EH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-01002EH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-05002EH0: 3.6.0|3.6.1|3.6.2|3.6.3, Trio J-Series Radio TBURJR900-06002EH0: 3.6.0|3.6.1|3.6.2|3.6.3. Apply the following compensating controls:
HARDENINGImplement RF shielding, antenna placement controls, and frequency coordination to reduce attack surface from unauthorized radio reception
HARDENINGMonitor for unauthorized or suspicious radio communications to the Trio J-Series radios
HARDENINGIf feasible, migrate wireless links to alternative radio products with stronger encryption or upgrade to wired communication where operationally possible
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/10939674-4a74-481f-8bc3-e93adbecaad6