Researchers uncover major security vulnerabilities in ICS mobile applications
IOActive and Embedi researchers found 147 cybersecurity vulnerabilities in 34 mobile applications used in tandem with SCADA systems.
Proof-of-concept Attack on Victim HMI Panel View
According to the researchers, if the mobile application vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, or cause a SCADA operator to unintentionally perform a harmful action on the system. The 34 mobile applications tested were randomly selected from the Google Play Store.
“This new vulnerability report proceeds original research conducted two years ago, where 20 mobile applications were tested,” said Jason Larsen, Principal Security Consultant at IOActive. “At the time, there just weren’t as many SCADA applications on the market. This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems. The key takeaway for developers is that security MUST be baked in from the start — it saves time, money, and ultimately helps protect the brand.”
The original research was conducted at Black Hat in 2015 and found a total of 50 issues in 20 mobile applications that were analyzed. In 2017, they found a staggering 147 issues in the 34 applications selected for this research report. This represents an average increase of 1.6 vulnerabilities per application.
“While using mobile applications for interacting with SCADA interfaces and systems greatly simplifies monitoring of those systems for engineers, these applications also open the doors for malicious attackers. Security research demonstrates that even production-critical SCADA mobile applications are not safe from a wide range of security vulnerabilities common for mobile applications environments. In fact, these applications suffer from common vulnerabilities that we often come across during penetration testing engagements or SAST (Static Application Security Testing) engagements,” said Leon Juranic, CTO at DefenseCode.
What the research revealed
Research by Alexander Bolshev, Security Consultant for IOActive, and Ivan Yushkevich, Information Security Auditor for Embedi, focused on testing software and hardware, using backend fuzzing and reverse engineering. In doing so, they successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code tampering.
Specifically, the research revealed the top five security weaknesses were: code tampering (94% of apps), insecure authorization (59% of apps), reverse engineering (53% of apps), insecure data storage (47% of apps) and insecure communication (38% of apps).
“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” said Bolshev. “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
Example SQL injection
“Vendors continue to produce ‘secure’ remote access products to meet customer demands, but remote access is intrinsically vulnerable, in addition to the specific vulnerabilities IOActive describes. How many ‘guards, gates or guns’ protect the average industrial site? How many protect our cell phones? Remote access is already the attack path of choice for targeted ransomware and other industrial attacks. Why should anyone have the power to control a 2 GW power plant, or the entire production line of an automobile factory, from a cell phone, while stopped at a traffic light?” – Andrew Ginter, VP Industrial Security at Waterfall Security Solutions, told Help Net Security.
Advice and disclosure
“Developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems,” said Yushkevich. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”
IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.
In February 2022, WhiteSource acquired DefenseCode.