Application Security , Application Security , Endpoint Security

Rising Attack Vector for Industrial IoT: Smartphone Apps

Mobile Apps Can Be Exploited To Tamper With Industrial Control Systems
Rising Attack Vector for Industrial IoT: Smartphone Apps
Modern ICS infrastructure including mobile apps. (Source: IOActive and Embedi)

There's increasing anxiety about the industrial control systems that run factories, power plants and oil refineries. As those systems have become more reliant on the internet for efficiency, hackers see the systems as ripe targets for disruption.

See Also: Live Webinar | Misconceptions About Third Party Risk Management

ICS software vendors are increasingly developing mobile applications for flexible, remote control. But the security of those applications leaves much to be desired, according to two researchers.

That's the conclusion of Alexander Bolshev, a security consultant with IOActive, and Ivan Yushkevich, an information security auditor with Embedi. Both co-presented a study of ICS mobile applications in 2015 at the Black Hat security conference that painted a bleak picture.

Their latest research into the industrial internet of things takes a fresh look at the expanding library of ICS mobile apps, with worrisome findings again. They expected the landscape would have improved over the last couple of years, but now say their view was overly optimistic.

"Two years have passed since our previous research, and things have continued to evolve," they write in a research paper. "Unfortunately, they have not evolved with robust security in mind, and the landscape is less secure than ever before."

Plucked From Google Play

Bolshev and Yushkevich started by randomly picking mobile ICS applications from Google's Play market. They tended to favor ones that also lent access to a vendor's backend hardware or software in order to test a wider attack surface.

The research paper from IOActive and Embedi.

All told, they studied 34 applications from 34 vendors, using OWASP's top 10 list of mobile security issues. They found 147 security issues within the mobile applications and back ends.

"This represents an average increase of 1.6 vulnerabilities per application," they write.

Some 32 of the 34 applications had a code tampering issue, which is the ability of a malicious actor to modify code, change the contents of memory dynamically or modify APIs.

The next most common issue was insecure authorization, which could allow someone - via the mobile app - to circumvent certain required permissions on a service.

"The most common mistake was the complete lack of passwords to protect the HMI [human machine interface] project and panel data configuration," the paper says. "If a password was requested, it would only be used to protect the global application configuration."

Nearly half of the mobile apps had insecure storage issues or data leakage, they found. All of those affected apps stored data on external SD card - which could be removed by a local attacker - or within an emulated storage partition.

"As a side effect, these applications inherited the weaknesses of the file systems used by these storage devices, as they have no proper ACLs [access control lists] or permission mechanisms implemented," they write. "In other words, if the application has the privileges to read/write to this device, it has full access to other data stored on the same device by other applications."

Malicious Influence

Not all security vulnerabilities necessarily mean that a hacker would be able to do harm. But there's a scary takeaway from their findings: More than 20 percent of the 147 issues could be used to either directly misinform an ICS operator or influence some sort of industrial process.

"We therefore conclude that the growth of IoT in the era of 'everything is connected' has not led to improved security for mobile SCADA applications," they write.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.