Schneider Electric IGSS Mobile

Monitor6.4ICS-CERT ICSA-18-046-03Feb 15, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

IGSS Mobile for iOS and Android (version 3.01 and earlier) contains two vulnerabilities: improper certificate validation (CWE-295) and insecure credential storage (CWE-256). An attacker with physical access to a device running the vulnerable app can intercept encrypted communications with SCADA systems or extract stored authentication credentials, potentially allowing unauthorized access to industrial control systems.

What this means

What could happen

An attacker with physical access to a mobile device running IGSS Mobile could intercept or modify communications with control systems, potentially altering operational commands or stealing credentials used to authenticate to SCADA infrastructure.

Who's at risk

Energy sector operators who use Schneider Electric IGSS Mobile (iOS or Android) on devices carried by field engineers, remote operators, or workstation users for monitoring and controlling SCADA systems and industrial equipment.

How it could be exploited

An attacker with physical access to an engineer's or operator's device can exploit weak certificate validation (CWE-295) and insecure credential storage (CWE-256) to intercept network traffic or extract stored authentication credentials for IGSS-connected systems. The attacker does not need network access—only physical possession of the device.

Prerequisites

Physical access to a mobile device running IGSS Mobile for iOS or Android (version 3.01 or earlier)
User must attempt to authenticate or communicate through the app while attacker has access
Device must be connected to the same network as IGSS or the target control system

Low complexity exploitationPhysical access required (reduces remote attack likelihood but increases insider/lost device risk)Affects credential storage and transport securityMobile device used for OT operations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

IGSS Mobile for Android:≤ 3.01Latest version available on Google Play

IGSS Mobile for iOS:≤ 3.01Latest version available on Apple Store

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement device management policies to require screen locks and auto-lock timeouts on all mobile devices used for SCADA access

HARDENINGRestrict physical access to devices running IGSS Mobile to secure facilities

HARDENINGEducate engineers and operators to never leave IGSS Mobile devices unattended and to lock devices when not in use

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IGSS Mobile for Android to the latest version available on Google Play

HOTFIXUpdate IGSS Mobile for iOS to the latest version available on Apple Store

CVEs (2)

CVE-2017-9968 CVE-2017-9969

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32c793ac-bd94-439d-906b-47e433fb7afe