Endpoint //

Privacy

1/11/2018
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Vulnerable Mobile Apps: The Next ICS/SCADA Cyber Threat

Researchers find nearly 150 vulnerabilities in SCADA mobile apps downloadable from Google Play.

As if ICS/SCADA networks weren't a juicy enough target, now those networks face a new generation of threats via mobile apps.

Researchers Alexander Bolshev, a security consultant with IOActive, and Ivan Yushkevich, information security auditor for Embedi, randomly selected 34 Android mobile apps from the Google Play store from third-party developers and well-known ICS/SCADA vendors to check for security vulnerabilities: they found 147 security flaws that could be exploited to disrupt or sabotage an industrial process or network infrastructure.

The pair in 2015 had conducted a similar but more cursory study of 20 mobile apps, where they rooted out 50 security weaknesses. They decided to revisit their research this time but at a deeper level, with more rigorous testing of software and hardware, conducting back-end fuzzing and reverse-engineering, and mapping their findings to OWASP's Top 10 Mobile Security Risks.

"They tore them [the apps] apart looking for bugs, and compared the bugs to the previous" research, says Jason Larsen, principal security consultant at IOActive. "The rate of bugs had increased over the past three years. You'd think with higher quality software, the bug rate would go down, but it went up."

Some 59% of the apps had insecure authorization controls and 47% employed insecure data storage. "About one-third had problems with insecure communications, and either lacked encryption or had incorrect implementations of encryption," Bolshev says. "This is pretty scary."

Attackers could exploit the flaws in several ways, according to the researchers. First, if an attacker had physical access to the mobile device and app, he or she could extract the SD card, for example, and embed an exploit on the card and then reinsert it into the device. "They would need just one or two minutes to extract the card … and put it back. Most apps store data insecurely, and there's no data integrity or strong encryption," he says.

Second, an attacker could wage a man-in-the-middle attack between the mobile app and the back-end system. "Thirty-eight percent of the apps have insecure communications. So if an attacker could somehow [perform] man-in-the-middle between the app and backend, it could compromise the app," Bolshev says.

A rogue WiFi or VPN channel could be compromised to perform such an attack, according to the research, or an attacker could also compromise the application itself. An attacker could alter a SCADA operator's view of a pressure gauge, for example. "They could show an invalid picture of the system" status, for example, Bolshev explains. "It could [be altered] to show there's a problem when there isn't," which could result in physical or monetary damage to the plant.

Android in the Plant?

To date, most mobile ICS/SCADA apps deployed in plants are trials or with limited functions, Larsen says.

If running Android apps in a sensitive ICS/SCADA environment seems counterintuitive security-wise, consider the business side of the equation. Part of the motivation for going to mobile apps is pure economic pressure.

"Overall there is an active push by manufacturers and other industrial controls users to be more efficient and to reduce headcount costs. As such, there is a motivation by the users and the ICS vendors to build applications that allow for remote access to ICS systems/components, respond to alarms, etc.," says Ernie Hayden, founder and principal of 443 Consulting LLC. That has meant pressure to push apps to market without proper security assessment and evaluation, he notes.

"Hence, and sadly, vulnerabilities are discovered after the remote devices are installed and used in the field," Hayden says.

ICS/SCADA mobile app vendors don't have the proper policies and procedures in place for secure mobile software development given the market pressures to crank out the apps, according to IOActive's Larsen. "Most [mobile apps] are being outsourced and they don't have that rigor in it yet. In general, code is getting worse and not better."

The researchers did not disclose which apps contained which vulns, and say they alerted app vendors whose products were affected. Among the apps vendors whose software the researchers tested were BACmove, Cybrotech, IDEA-Teknik, Schneider Electric SE, ICONICS, Siemens AG, and TeslaSCADA.

Bolshev declined to reveal any specifics on what they found or not in specific vendor apps but says: "If a vendor is taking care of overall security, it also takes care of its mobile app security from what we saw."

While most of the solution lies with app developers upping their secure development game, the researchers say ICS/SCADA plants need to carefully deploy mobile apps. "I'd recommend if you want to integrate mobile into OT, pen-test it" first, Bolshev says. "Then you can make the decision to integrate it or not."

Larsen says mobile apps will become more mainstream in industrial networks in the next few years. "Everyone tried to fight WiFi on laptops, and now everyone has it now," he says, and mobile apps are also inevitable in those networks.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...