Rising Attack Vector for Industrial IoT: Smartphone AppsMobile Apps Can Be Exploited To Tamper With Industrial Control Systems
There's increasing anxiety about the industrial control systems that run factories, power plants and oil refineries. As those systems have become more reliant on the internet for efficiency, hackers see the systems as ripe targets for disruption.
ICS software vendors are increasingly developing mobile applications for flexible, remote control. But the security of those applications leaves much to be desired, according to two researchers.
That's the conclusion of Alexander Bolshev, a security consultant with IOActive, and Ivan Yushkevich, an information security auditor with Embedi. Both co-presented a study of ICS mobile applications in 2015 at the Black Hat security conference that painted a bleak picture.
Their latest research into the industrial internet of things takes a fresh look at the expanding library of ICS mobile apps, with worrisome findings again. They expected the landscape would have improved over the last couple of years, but now say their view was overly optimistic.
"Two years have passed since our previous research, and things have continued to evolve," they write in a research paper. "Unfortunately, they have not evolved with robust security in mind, and the landscape is less secure than ever before."
Plucked From Google Play
Bolshev and Yushkevich started by randomly picking mobile ICS applications from Google's Play market. They tended to favor ones that also lent access to a vendor's backend hardware or software in order to test a wider attack surface.
All told, they studied 34 applications from 34 vendors, using OWASP's top 10 list of mobile security issues. They found 147 security issues within the mobile applications and back ends.
"This represents an average increase of 1.6 vulnerabilities per application," they write.
Some 32 of the 34 applications had a code tampering issue, which is the ability of a malicious actor to modify code, change the contents of memory dynamically or modify APIs.
The next most common issue was insecure authorization, which could allow someone - via the mobile app - to circumvent certain required permissions on a service.
"The most common mistake was the complete lack of passwords to protect the HMI [human machine interface] project and panel data configuration," the paper says. "If a password was requested, it would only be used to protect the global application configuration."
Nearly half of the mobile apps had insecure storage issues or data leakage, they found. All of those affected apps stored data on external SD card - which could be removed by a local attacker - or within an emulated storage partition.
"As a side effect, these applications inherited the weaknesses of the file systems used by these storage devices, as they have no proper ACLs [access control lists] or permission mechanisms implemented," they write. "In other words, if the application has the privileges to read/write to this device, it has full access to other data stored on the same device by other applications."
Not all security vulnerabilities necessarily mean that a hacker would be able to do harm. But there's a scary takeaway from their findings: More than 20 percent of the 147 issues could be used to either directly misinform an ICS operator or influence some sort of industrial process.
"We therefore conclude that the growth of IoT in the era of 'everything is connected' has not led to improved security for mobile SCADA applications," they write.