Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...

SCADA mobile app security is getting worse

By John Leyden


The security of mobile apps that tie in with Supervisory Control and Data Acquisition (SCADA) systems has deteriorated over the last two-and-a-half years, according to new research.

A team of boffins from IOActive and IoT security startup Embedi said they had discovered 147 vulnerabilities in 34 of the most popular Android mobile apps for SCADA systems.

Mobile applications are increasingly being used in conjunction with SCADA systems. The researchers warned these apps are "riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems".

If successfully exploited, the vulnerabilities could allow attackers to disrupt industrial processes or compromise industrial network infrastructure.

How mobile apps fit into modern industrial control system architectures [source: IOActive white paper]


Code-tampering vulns found in 94% of sampled apps

The 34 Android applications tested were randomly selected from the Google Play Store.

The research focused on testing software and hardware, using backend fuzzing and reverse engineering. The team successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code-tampering risks.

The research revealed the top five security weaknesses were: code tampering (94 per cent of apps), insecure authorisation (59 per cent of apps), reverse engineering (53 per cent of apps), insecure data storage (47 per cent of apps) and insecure communication (38 per cent of apps).

The same team of researchers found 50 vulnerabilities across 20 Android apps in 2015. The rise to 147 vulnerabilities in 34 apps therefore represents an average increase of 1.6 vulnerabilities per app.

Technical details of the research will be released by Alexander Bolshev, IOActive security consultant, and Ivan Yushkevich, information security auditor for Embedi, in a new paper "SCADA and Mobile Security in the Internet of Things Era".

Bolshev explained: “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS [Industrial Control Systems] control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware.

“What this results in is attackers using mobile apps to attack other apps,” he added.

Yushkevich added: “Developers need to keep in mind that applications like these are basically gateways to mission-critical ICS systems. It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”

Yushkevich said the team tested only Google Play apps in order that it could "compare the results of this research with those of the previous research in 2015".

He said of the threats that could occur as a result of these vulnerabilities: “Some of the revealed vulnerabilities are the client-side ones. For example, SQL injections may be used to disrupt the operation of a device.

“To exploit most of the described vulnerabilities, a hacker has to simply intercept traffic and get to the same network segment a victim is in. So, the SQL injection vulnerability is an exception here.”

IOActive and Embedi have informed the impacted vendors of the findings and are coordinating with a number of them to ensure fixes are in place. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London How Stuxnet, Shamoon, et al ran riot

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

SCADA malware caught infecting European energy company

'Nation-state' fingered

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram

Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap