KACO HMI Password Vulnerability

Thursday, August 13, 2015 @ 11:08 AM gHale

There is a hard-coded password vulnerability with proof-of-concept (PoC) exploit code affecting KACO HMI products, according to a report on ICS-CERT.

A public report released before any coordination with ICS-CERT or the vendor said the password can easily end up found in the client code.

Schneider Fixes DTM Vulnerability
Schneider Fixes Password Storage Hole
Home Automation System Holes Fixed
Chrysler Updates 1.4 Million Vehicles

ICS-CERT notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. ICS CERT issued the alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other security attacks.

The report shows the remotely exploitable vulnerability being a hardcoded password issue that could cause remote code execution.

Aditya K. Sood discovered the vulnerability and he presented it at DefCon 2015 in Las Vegas. He reported the passwords for KACO HMI products are present in the code for the client that allows users to control the HMI. He reported this vulnerability to ICS-CERT a few days before his presentation, and the vendor knew about the issue but did not have time to correct it.

ICS-CERT will continue to work with KACO to address this issue and will notify users when a patch or other mitigating solution becomes available.