Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...

SCADA mobile app security is getting worse

By John Leyden

Posted in Security, 11th January 2018 13:00 GMT

The security of mobile apps that tie in with Supervisory Control and Data Acquisition (SCADA) systems has deteriorated over the last two-and-a-half years, according to new research.

A team of boffins from IOActive and IoT security startup Embedi said they had discovered 147 vulnerabilities in 34 of the most popular Android mobile apps for SCADA systems.

Mobile applications are increasingly being used in conjunction with SCADA systems. The researchers warned these apps are "riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems".

If successfully exploited, the vulnerabilities could allow attackers to disrupt industrial processes or compromise industrial network infrastructure.

How mobile apps fit into modern industrial control system architectures [source: IOActive white paper]


Code-tampering vulns found in 94% of sampled apps

The 34 Android applications tested were randomly selected from the Google Play Store.

The research focused on testing software and hardware, using backend fuzzing and reverse engineering. The team successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code-tampering risks.

The research revealed the top five security weaknesses were: code tampering (94 per cent of apps), insecure authorisation (59 per cent of apps), reverse engineering (53 per cent of apps), insecure data storage (47 per cent of apps) and insecure communication (38 per cent of apps).

The same team of researchers found 50 vulnerabilities across 20 Android apps in 2015. The rise to 147 vulnerabilities in 34 apps therefore represents an average increase of 1.6 vulnerabilities per app.

Technical details of the research will be released by Alexander Bolshev, IOActive security consultant, and Ivan Yushkevich, information security auditor for Embedi, in a new paper "SCADA and Mobile Security in the Internet of Things Era".

Bolshev explained: “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS [Industrial Control Systems] control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware.

“What this results in is attackers using mobile apps to attack other apps,” he added.

Yushkevich added: “Developers need to keep in mind that applications like these are basically gateways to mission-critical ICS systems. It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”

Yushkevich said the team tested only Google Play apps in order that it could "compare the results of this research with those of the previous research in 2015".

He said of the threats that could occur as a result of these vulnerabilities: “Some of the revealed vulnerabilities are the client-side ones. For example, SQL injections may be used to disrupt the operation of a device.

“To exploit most of the described vulnerabilities, a hacker has to simply intercept traffic and get to the same network segment a victim is in. So, the SQL injection vulnerability is an exception here.”

IOActive and Embedi have informed the impacted vendors of the findings and are coordinating with a number of them to ensure fixes are in place. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

SCADA malware caught infecting European energy company

'Nation-state' fingered

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Move over, Stuxnet: Industroyer malware linked to Kiev blackouts

Modular nasty can seize direct control of substation switches and circuit breakers

First shots at South Korea could herald malware campaign of Olympic proportions

Russia, Norks and dog lovers all potential perps, say pundits

Malware hidden in vid app is so nasty, victims should wipe their Macs

If you downloaded and installed stuff from Eltima, you are totally screwed

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Apple blocks comms-snooping malware

Leaked developer certificate revoked, protection updated