AMTELCO miSecure Vulnerabilities

Low RiskICS-CERT ICSA-14-121-01Feb 1, 2014

Summary

AMTELCO miSecure versions 6.2 (Android, iPhone, and Blackberry) contain information disclosure and improper authentication vulnerabilities (CWE-200, CWE-287). The application fails to properly protect stored credentials and communication data on mobile devices. An attacker with physical access could extract sensitive information including login credentials used to access plant systems. No patch is available for this version.

What this means

What could happen

AMTELCO miSecure mobile applications fail to properly protect stored credentials and communication data, allowing an attacker with physical access to a mobile device to extract sensitive information used for plant communications and control.

Who's at risk

Water authorities and electric utilities using AMTELCO miSecure mobile applications (Android, iPhone, Blackberry) to manage plant communications, field operations, or engineering access should be concerned. Anyone using version 6.2 on mobile devices to store or access plant credentials is at risk.

How it could be exploited

An attacker with physical access to a mobile device running miSecure 6.2 could directly access the device's file system or memory to extract stored credentials or decrypted communication data. No remote exploitation is possible, but compromised credentials could then be used for remote unauthorized access to control systems.

Prerequisites

Physical access to a mobile device running miSecure 6.2
Device running vulnerable version (6.2) with no patch available

no patch availablecredentials stored insecurely on mobile devices

Exploitability

Some exploitation risk — EPSS score 8.0%

Affected products (1)

ProductAffected VersionsFix Status

miSecureMessages (to include Android, iPhone, and Blackberry mobile device applications): 6.26.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement mobile device management (MDM) policy requiring full device encryption and enforced passcodes on all devices accessing miSecure

HARDENINGRestrict miSecure to devices you control and monitor; do not allow personal devices to store plant credentials

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRequire additional authentication (separate password or token) for accessing plant systems from mobile devices, so stolen credentials from the device alone are insufficient

Mitigations - no patch available

0/1

miSecureMessages (to include Android, iPhone, and Blackberry mobile device applications): 6.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement physical security controls to prevent unauthorized access to mobile devices used by operations and engineering staff

CVEs (2)

CVE-2014-2347 CVE-2014-0357

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa035b34-c89c-4c6d-a159-f2085bf55b27

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.