Siemens SIMATIC Sm@rtClient Android App

Plan Patch7.4ICS-CERT ICSA-17-194-03Jul 13, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SIMATIC WinCC Sm@rtClient for Android versions prior to 1.0.2.2 contain weak or missing authentication and encryption mechanisms (CWE-300, CWE-288). An attacker on the network path can forge authentication credentials or intercept encrypted sessions to gain unauthorized access to HMI control functions and SCADA process data without user interaction.

What this means

What could happen

An attacker could intercept encrypted communications or authenticate without proper credentials to the WinCC Sm@rtClient app, potentially gaining unauthorized access to HMI control functions and process data on remote Android devices.

Who's at risk

Water and electric utilities using Siemens WinCC HMI systems should care about this vulnerability. It affects operators and engineers who use the WinCC Sm@rtClient app on Android phones or tablets to remotely monitor or control SCADA systems, including pumps, motors, valves, and power distribution equipment.

How it could be exploited

An attacker on the network path to the mobile device (man-in-the-middle position) could exploit weak or missing authentication/encryption to intercept TLS handshakes or forge authentication tokens without user interaction. No user action is required to trigger the vulnerability.

Prerequisites

Network access to the Android device running WinCC Sm@rtClient
Position on network path between the device and HMI/SCADA server (man-in-the-middle capable)
Target device must be running affected version (< 1.0.2.2)

remotely exploitableno authentication requiredlow complexityaffects remote control interfaces

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMATIC WinCC Sm@rtClient Lite for Android: All< 1.0.2.21.0.2.2

SIMATIC WinCC Sm@rtClient for Android: All< 1.0.2.21.0.2.2

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the WinCC HMI server to only authorized mobile devices using firewall rules or VPN

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC WinCC Sm@rtClient for Android and Sm@rtClient Lite for Android to version 1.0.2.2 or later via Google Play Store

Long-term hardening

0/1

HARDENINGImplement certificate pinning or use a VPN client on mobile devices to prevent man-in-the-middle interception

CVEs (2)

CVE-2017-6870 CVE-2017-6871

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5f0a04c-c356-4252-b675-56fd9b591287