IoActive and Embedi researchers released a whitepaper outlining 147 vulnerabilities in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems.
The vulnerabilities could allow an attacker to compromise industrial network infrastructure by allowing them to disrupt an industrial process or cause a SCADA operator to unintentionally perform a harmful action on the system, according to the whitepaper.
The top security weaknesses were code tampering flaws which were found in 94 percent of apps, insecure authorization in 59 of apps, reverse engineering affecting 53 percent of apps, insecure data storage which accounted for 47 percent of apps, insecure communication in 38 percent of apps and client code quality in 35 percent of the apps.
Attacks targeting mobile SCADA applications can be sorted into directly/indirectly influencing an industrial process or industrial network infrastructure and compromising a SCADA operator to unwillingly perform a harmful action on the system.
Researchers tested 34 mobile applications randomly selected from the google play store and found they were typically vulnerable to unauthorized physical access to said device, communication channel compromise or man-in-the-middle attacks, and application compromises.
"This new vulnerability report proceeds original research conducted by Alex and Ivan two years ago, where 20 mobile applications were tested," Jason Larsen, IOActive principal security consultant said in a Jan. 11 press release. "At the time, there just weren't as many SCADA applications on the market. This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems.”
An attacker could influence the industrial process or network infrastructure by sending data that would be carried over to the field segment devices. The system could be comprised to make a SCADA operator unwillingly perform a harmful action on the system by creating environmental circumstances where a SCADA system operator could make incorrect decisions and trigger alarms or otherwise bring the system into a halt state.
“Attackers don't need to have physical access to the smartphone to leverage the vulnerabilities, and they don't need to directly target ICS control applications either,” Alexander Bolshev, IOActive security consultant told SC Media. “If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware.”
What this results in is attackers using mobile apps to attack other apps.
Researchers said the key takeaway for developers is the need for developer to bake security into products from the starts and that unfortunately, convenience often wins over security. Initial research conducted in 2015 found a total of 50 issues in 20 mobile applications that were analyzed and the updated report focuses more on testing applications that can control ICS software and hardware.
To measure if the security of these applications has improved over time, in mid-2017, resarchrs decided tested 34 Android applications (randomly selected from the Google Play store) and found a staggering 147 issues that are outlined in this research report representing an average increase of 1.6 vulnerabilities per application.
Bolshev said the most recent finding show that mobile applications are being created and used without any thought to security and that it's unacceptable when it comes to apps used for controlling mission critical industrial control systems.