Attackers Could Use Vulnerability in Smart Gas Meters to Reset Them or Run Code, Researchers Find

There’s room for all devices in the IoT universe, and that includes smart speakers and gas meters. The first one is usually nice, shiny and stands in the middle of the living room, while the latter is just as important but stands alone in a dark corner of the building. The point is that our world is full of “invisible” IoT devices, fulfilling essential functions, that are equally exposed to attacks.

Smart meters allow companies to keep a much closer eye on consumption and minimize downtime when there’s a problem, which is extremely useful because these devices run in industrial settings as well as homes. Unfortunately, that means these meters have to be connected to the Internet.

“Claroty’s research into the ION/PM smart meter firmware uncovered a pre-authentication integer-overflow vulnerability that, depending on the specific generation, architecture, and version of the product, could allow an attacker to remotely execute code or reboot the meter, causing a denial-of-service condition on the device,” said the researchers after investigating Schneider Electric’s PowerLogic ION/PM smart meter product line.

One of the vulnerabilities received a CVSS score of 9.8 (of a maximum 10). It allowed attackers to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code, depending on the targeted device.

The other vulnerability has a slightly lower CVSS score of just 7.5 because attackers can’t enable remote code execution and are limited to the ability to reset the meter.

Schneider Electric fixed both problems in July 2020, and users have been advised to upgrade as quickly as possible.