ELNet Power Meter Unauthenticated Access / Weak Credential Management

`*ELNet **Energy & Electrical Power Meter - Mulitple Vulnerabilities*  
  
  
http://elnet.feniks-pro.com/Elnet-LT.php  
  
http://www.elnet.cc/product/elnet-lt/  
  
  
Powermeter with color graphic display for all electrical measurements and  
harmonics, with TCP/IP and RS485 communication (ModBus and Bacnet), panel  
mounted 96X96 mm.  
  
  
*Product Description*  
  
General  
  
Simple operated menus.  
  
- Multilingual support.  
- Up to One year of energy data logging.  
- Displays up to 64th Harmonic in Waveform or Graphic.  
- 1600 samples per cycle.  
- Accuracy 0.2 %.  
- Accuracy 0.1% with special calibration, that can be ordered.  
- Build in T.O.U. Energy meter.  
- RS485 Communication Port (MODBUS, Bacnet MS/TP).  
- State of the art Graphic LCD  
- Modern 320 x 240 LCD display.  
- Displays of Waveform and Bar graph.  
- Simple installation- Panel mounted. Dimension: 96A96 mm.  
- Flash memory stores 6 months of energy.  
  
  
- TCP/IP communication port + WEB server  
- BacNet TCP/IP  
  
*Standard approvals:*  
  
IEC 62053-22, IEC 62053-23, IEC 62052-11  
  
  
Large consumers of electricity e.g. factories, hotels, hospitals,  
municipalities, need to know the history of their consumption and the  
quality and the values of the power supply. Details such as Voltage,  
Current, Power Factor, Hertz, Neutral Current, Energy consumption can be  
displayed by the ELNet LT  
  
Energy & Powermeter.  
  
  
An additional feature of the Powermeter is the ability to measure  
Harmonics. Part of the Electricity Supply Authorityas bill reflects poor or  
good Harmonics in the consumeras system, therefore it is in his interest to  
monitor Harmonics and try to improve it.  
  
  
The ELNet LT Energy & Powermeter is a compact, multi functional, three-phase  
Powermeter simple to install and is especially designed to integrate into  
Building Management Systems. It requires no special mounting and is ideally  
suited for mounting on the front face of any standard electrical panel.  
  
  
The Configuration and Setup is menu driven, with password protection.  
  
  
+++++  
  
  
*Vulnerabilities*  
  
  
1. *Unauthenticated Web Management access*  
  
ELNet power meters can be managed via Java applet over a web browser. Meter  
console and all its functions are accessible.  
  
  
By default, no authentication is required to access the web console.  
  
  
  
*2. Weak Credential Management*  
  
In order to perform certain specific functions in ELNet power meters,  
passwords are required. These passwords are, really just a formality.  
  
  
For example:  
  
  
Default password code to access Technical Menu for device configuration is a  
  
1 (One)  
  
  
*Default password a 6474*  
  
- To reset I,V,F Peak Values  
  
- To display /reset power peak value  
  
  
+++++  
  
It appears that password/code functionality is implemented for the sake of  
getting the compliance check-list ticked.  
  
  
Not only the default passwords are poor/weak, the system does not have a  
mechanism to enforce a mandatory password change.  
  
  
3. *Password Recovery Functionality*  
  
  
But what if, just what if, someone does want security and changes the  
default passwords, and forgets/lose them??  
  
  
According to vendor:  
  
*It is not recommended to forget your new passwords.*  
  
  
The manual also doesn't seem to document Password Recovery either.  
  
  
+++++  
  
  
`