Researchers: SCADA Mobile Apps Continue to Have ‘Shocking’ Number of Vulnerabilities

Despite their availability on mobile networks and thus increased exposure to outside security threats, SCADA apps remain highly insecure and vulnerable to attack, putting critical industrial control systems at immediate and increased risk, researchers at IOActive and Embedi have found.

While it might be good news for industrial control system (ICS) operators to have mobile apps to help them do their jobs, it’s shockingly bad news for the security of these systems—and it’s only getting worse.

New research by security consulting service provider IOActive and cybersecurity startup Embedi–has identified 147 cybersecurity vulnerabilities in 34 mobile applications commonly used with Supervisory Control and Data Acquisition (SCADA) systems. The issues pose a real and present security danger to these systems, researchers said.

Tbe report builds on research two years ago that already pointed to major vulnerabilities in SCADA systems. However, things seem to have gone from bad to worse, said Alexander Bolshev, security consultant for IOActive.

Easily exploitable security holes in mobile applications for SCADA and industrial control system (ICS) software could leave manufacturing and other critical infrastructure vulnerable to attack.

“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” Bolshev said.

Moreover, attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either, he said.

“If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware,” Bolshev said. “What this results in is attackers using mobile apps to attack other apps.”

Bolshev worked with Ivan Yushkevich, information security auditor for Embedi, to conduct the research, which they outline in a paper, “SCADA and Mobile Security in the Internet of Things (IoT) Era.”

Risk is on the rise

The security consultants conducted their original research on mobile SCADA apps at Black Hat in 2015. At the time, they found a total of 50 issues in the 20 mobile applications they analyzed.

Wanting to see if the situation had improved, Bolshev and Yushkevich last year tested 34 applications randomly selected from the Google Play store. Their results were dire, finding nearly triple the number of vulnerabilities in an even smaller number of apps—representing an average increase of 1.6 vulnerabilities per application.

Moreover, the researchers found that more than 20 percent of the issues they discovered allow attackers to directly misinform operators and or influence the industrial process, whether directly or indirectly.

SCADA applications have always had vulnerabilities. However, before the advent of the IoT and the availability of mobile apps for download on connected stores like Google Play, industrial control software was found on closed systems and thus inherently more secure, said Jason Larsen, principal security consultant for industrial control sSystems at IOActive.

[Read more Security Ledger coverage of SCADA security.]

“So this is a new kind of the new attack pathway,” he told The Security Ledger. “Normally this would be a closed network that doesn’t interact with open environments. Now we have all of these devices showing up there, and it’s not managed in the IT environment that everyone knows and loves.”

Three key areas of exploitation

Researchers found three key types of vulnerabilities that give hackers access to industrial control networks, data and processes on those networks, Bolshev told us.

The first is physical access to the device or device data, which a hacker can exploit quite easily, he said.  For example, if an engineer leaves a mobile device with an industrial-control app on it publicly unattended even for a short time, someone with the know-how can gain easy access to a SCADA system.

“It could give an attacker an opportunity if he has it for less than a minute,” Bolshev warned. “He can modify data, extract the card, write something on it and put it back [because the apps] do not verify the data they are storing.”

The second threat is that hackers could compromise the communication channel of an industrial-control network because of the largely unprotected network protocols and networks used to transfer data from mobile devices, Bolshev said.

“Most of the devices either use public GSM networks or WiFi networks to communicate,” he said. “If the attacker can manipulate the communications, he could actually modify the data and in that way exploit the system and the operator. This is because many apps lack the proper security channel, use no encryption—or use it in a very incorrect way–or have some other problems related to secure communications.”

The third threat is one that’s very specific to the increasing availability of SCADA applications for download and use on tablets alongside other less-critical apps, Bolshev said. An infected app on the same tablet device as the ICS app could spread its disease, allowing access to data, or give a hacker the ability to execute or modify the ICS system, he said.

“You’ve got your Android device and you’re using to monitor your process,” Larsen added. “Since this is a tablet, chances are you’re also going to download other apps to use on your device. You could download a malicious app that can attack the industrial control software.”

SCADA developers and operators, beware

Overall, the message to developers of SCADA apps—gateways to critical ICS systems increasingly in the crosshairs of hackers–is to be mindful that a wider number of potential miscreants has access to their software due to the increasingly mobile nature of these systems, he said.

“We’re trying to draw awareness to the fact that while these apps are being made available in a nontraditional environment for industrial control, coding practices aren’t the awesome ones we’ve hoping for,” Larsen said. “They are creating a security risk that the attacker community is good at exploiting.”

Operators of ICS systems also can mitigate the risks by being more cautious of what mobile devices and apps they use to control their networks, he said. They also should examine and test the overall security of the systems to protect against a wider range of threats from outside sources.

“A lot of that is just going to come down to architecture,” Larsen said. “The trend is to adopt mobile apps and the Internet of Things, and so companies really just need to develop an architecture that takes into account the security risks surrounding that.”

Software based attacks on SCADA and industrial control environments are common. In 2015, for example, researcher Kyle Wilhoit of Trend Micro claimed to have found 13 different crimeware variants disguised as SCADA and industrial control system (ICS) software. The malware posed as human machine interface (HMI) products, including Siemens’ Simatic WinCC, GE’s Cimplicity, and as device drivers by Advantech.