Mobile app flaws could compromise industrial network infrastructure
Seattle, Wash. –IOActive, Inc., the worldwide leader in research-driven security services, and Embedi, a cybersecurity startup company focused on immunizing IoT/embedded/smart end-point devices against 0- and 1-day attacks, today released a white paper outlining 147 cybersecurity vulnerabilities found in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. The technical details of the research are being released by Alexander Bolshev, Security Consultant for IOActive, and Ivan Yushkevich, Information Security Auditor for Embedi, in a new paper, “SCADA and Mobile Security in the Internet of Things Era.”
According to the researchers, if the mobile application vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, or cause a SCADA operator to unintentionally perform a harmful action on the system. The 34 mobile applications tested were randomly selected from the Google Play Store.
“This new vulnerability report proceeds original research conducted by Alex and Ivan two years ago, where 20 mobile applications were tested,” said Jason Larsen, Principal Security Consultant at IOActive. “At the time, there just weren’t as many SCADA applications on the market. This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems. The key takeaway for developers is that security MUST be baked in from the start — it saves time, money, and ultimately helps protect the brand.”
The original research was conducted at Black Hat in 2015 and found a total of 50 issues in 20 mobile applications that were analyzed. In 2017, they found a staggering 147 issues in the 34 applications selected for this research report. This represents an average increase of 1.6 vulnerabilities per application.
Bolshev’s and Yushkevich’s research focused on testing software and hardware, using backend fuzzing and reverse engineering. In doing so, they successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code tampering. Specifically, the research revealed the top five security weaknesses were: code tampering (94% of apps), insecure authorization (59% of apps), reverse engineering (53% of apps), insecure data storage (47% of apps) and insecure communication (38% of apps).
“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” said Bolshev. “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
“Developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems,” said Yushkevich. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”
IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.