Siemens Sm@rtClient Password Storage Vulnerability
Low RiskICS-CERT ICSA-15-202-02Apr 23, 2015
Summary
SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite for Android store connection credentials in insecure storage that can be recovered by an attacker with physical access to the device. CWE-522 (Insufficiently Protected Credentials) allows credential extraction without knowledge of the device unlock code.
What this means
What could happen
Credentials stored on mobile devices running Sm@rtClient can be recovered by an attacker with physical access, allowing unauthorized control of SCADA interfaces and HMI systems connected through the application.
Who's at risk
Water and electric utility engineers and technicians who use Android tablets or smartphones running SIMATIC WinCC Sm@rtClient or Sm@rtClient Lite to access HMI systems and SCADA frontends remotely. This affects field personnel, operators, and maintenance staff.
How it could be exploited
An attacker with physical access to an Android device running Siemens Sm@rtClient can extract plaintext or weakly encrypted credentials from device storage. Once obtained, these credentials can be used to access SCADA or HMI systems remotely, enabling command injection or process manipulation.
Prerequisites
- Physical access to the Android device running Sm@rtClient
- Device must be unlocked or attacker must bypass device security
- Credentials must be stored in plaintext or with weak encryption on the device
No patch availableWeak credential storagePhysical access required but portable devices frequently lost or stolenAllows unauthorized HMI access
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIMATIC WinCC Sm@rtClient for Android: <V01.00.01.00<V01.00.01.00No fix (EOL)
SIMATIC WinCC Sm@rtClient Lite for Android: <V01.00.01.00.<V01.00.01.00.No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGDisable credential storage on mobile Sm@rtClient devices; require authentication at each connection instead of persistent credential caching
HARDENINGRestrict physical access to mobile devices running Sm@rtClient, especially when personnel are outside secure facilities
HARDENINGDeploy Mobile Device Management (MDM) solutions to enforce device encryption and enforce screen lock policies on Sm@rtClient devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGAudit and rotate credentials for all accounts that may have been accessed via Sm@rtClient on mobile devices
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC WinCC Sm@rtClient for Android: <V01.00.01.00, SIMATIC WinCC Sm@rtClient Lite for Android: <V01.00.01.00.. Apply the following compensating controls:
HARDENINGImplement network-level access controls limiting which systems can be reached by Sm@rtClient connections (e.g., firewall segmentation)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/69623d8b-74a5-4da8-8292-042323421eb7