Mobile app flaws are a risk to industrial IT systems, says report

Security researchers have identified 147 cyber security vulnerabilities found in 34 randomly selected mobile applications used in tandem with supervisory control and data acquisition (Scada) systems.

Scada software is typically used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

If the mobile app vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, according to the report.

The report on Scada and mobile security in the internet of things (IoT) era is based on research by security services firm IOActive and zero day attack-focused security startup Embedi.

Exploiting the vulnerabilities could also cause a Scada operator to unintentionally perform a harmful action on the system, according to the report’s authors, Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi.

The release of the research coincides with the publication of a report by international affairs think-tank Chatham House, which warns that the risk of cyber attacks on nuclear weapons’ control systems is “relatively high”, with recent cases of cyber attacks indicating that nuclear weapons systems could also be subject to interference, hacking and sabotage through the use of malware.

Jason Larsen, principal security consultant at IOActive, said the research reinforces the fact that mobile apps are increasingly riddled with vulnerabilities that could have dire consequences for Scada systems that operate industrial control systems (ICS).

“The key takeaway for developers is that security must be baked in from the start,” he said. “It saves time, money, and ultimately helps to protect the brand.”

The report updates original research conducted by Bolshev and Yushkevich in 2015 that found a total of 50 issues in 20 mobile apps that were analysed. Just two years later, they found an average increase of 1.6 vulnerabilities per app.

The research focused on testing software and hardware, using back-end fuzzing and reverse engineering to uncover a range of security vulnerabilities.

The top five security weaknesses revealed by the research were: code tampering (94% of apps), insecure authorisation (59%), reverse engineering (53%), insecure data storage (47%) and insecure communication (38%).

“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” said Bolshev. “It is important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target industrial control applications, either.

“If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for industrial control system software and hardware. What this results in is attackers using mobile apps to attack other apps.”

Yushkevich said developers need to keep in mind that applications are gateways to mission-critical industrial control systems. “It is important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks,” he said.

IOActive and Embedi informed the affected suppliers of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.