AMTELCO miSecure Vulnerabilities

Low RiskICS-CERT ICSA-14-121-01Feb 1, 2014

Summary

miSecureMessages version 6.2 for Android, iPhone, and BlackBerry contains information disclosure and authentication weaknesses (CWE-200, CWE-287). The application exposes user communications and authentication credentials to interception. No vendor fix is available.

What this means

What could happen

miSecure mobile messaging applications expose user communications and authentication credentials, potentially allowing attackers to intercept sensitive operational messages or gain unauthorized access to plant systems.

Who's at risk

Water authorities and electric utilities using miSecure mobile applications (Android, iPhone, or BlackBerry) for operational communications. This affects staff who use the miSecureMessages platform for plant messaging, coordination, or remote authentication.

How it could be exploited

An attacker with network access to the device or communications path could intercept unencrypted messages and authentication tokens from miSecure applications running on mobile devices (Android, iPhone, or BlackBerry). The attacker could then use captured credentials to impersonate authorized personnel or read sensitive operational information.

Prerequisites

Network access to mobile device or device communications channel
miSecureMessages application version 6.2 installed on Android, iPhone, or BlackBerry device

no authentication requiredno patch availableinformation disclosure vulnerability

Exploitability

Moderate exploit probability (EPSS 8.0%)

Affected products (1)

ProductAffected VersionsFix Status

miSecureMessages (to include Android, iPhone, and Blackberry mobile device applications): 6.26.2No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict mobile device network access to miSecure communications to trusted networks only (VPN, isolated operational network)

WORKAROUNDDisable or uninstall miSecureMessages 6.2 if alternative secure messaging platforms are available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor vendor AMTELCO for security updates to miSecureMessages

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate mobile devices from critical control systems

HARDENINGRequire use of additional authentication factors beyond miSecure credentials for access to critical plant systems

CVEs (2)

CVE-2014-2347 CVE-2014-0357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa035b34-c89c-4c6d-a159-f2085bf55b27