Echelon investigates reports of potential security issues relating to the Company’s products, and publishes Echelon Security Advisory Bulletins in accordance with Company policy. Echelon is committed to working with the US Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to promote distribution of this information.

Date: 17 April 2018

Title: ESA-20180417-01 Default Unrestricted SmartServer SOAP API Access

Overview: The default configuration for a SmartServer 2 edge server enables unrestricted access to the SmartServer SOAP API.

Affected products: All SmartServer 2, SmartServer 1, and i.LON 100 products.

Mitigation: Modify settings in WebParams.dat to restrict access to SOAP API.

Date: 17 April 2018

Title: ESA-20180417-02 SmartServer and i.LON 600 Authentication Bypass

Overview: Required authentication can be bypassed.

Affected products: All SmartServer 2 and SmartServer 1 products.

Mitigation: Install SmartServer or i.LON 600 behind a firewall and restrict port forwarding, or on a VLAN without other devices.

Date: 17 April 2018

Title: ESA-20180417-03 SmartServer and i.LON 600 Default Credentials

Overview: Default user names and passwords do not require change on setup.

Affected products: All SmartServer 3, SmartServer 1, i.LON 100, and i.LON 600 products.

Mitigation: Change username and password on initial install.

Date: 17 April 2018

Title: ESA-20180417-04 SmartServer and i.LON 600 Password Protection

Overview: Passwords stored in plaintext format.

Affected products: All SmartServer 2, SmartServer 1, i.LON 100 and i.LON 600 products.

Mitigation: Change username and password on initial installation, using a unique pair for every SmartServer and i.LON device. Restrict access to SOAP API. Install behind firewall and restrict port forwarding or on a VLAN without other devices.

Date: 17 April 2018

Title: ESA-20180417-05 SmartServer and i.LON 600 Unencrypted Communications

Overview: Multiple services do not use encryption to protect communications.

Affected products: All SmartServer 2, SmartServer 1, i.LON 100 and i.LON 600 products.

Mitigation: Disable unencrypted services and secure encrypted services.