By Gregory Hale
There are 147 cybersecurity vulnerabilities found in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems, a new report found.
If the mobile application vulnerabilities identified end up exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, or cause a SCADA operator to unintentionally perform a harmful action on the system, according to Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi, in a paper entitled, “SCADA and Mobile Security in the Internet of Things Era.”
The 34 mobile applications tested were randomly selected from the Google Play Store.
“This new vulnerability report proceeds original research conducted by Alex and Ivan two years ago, where 20 mobile applications were tested,” said Jason Larsen, principal security consultant at IOActive. “At the time, there just weren’t as many SCADA applications on the market. This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control systems. The key takeaway for developers is that security must be baked in from the start — it saves time, money, and ultimately helps protect the brand.”
The original research was conducted at Black Hat in 2015 and found 50 issues in 20 mobile applications analyzed. In 2017, they found 147 issues in the 34 applications selected for this research report. This represents an average increase of 1.6 vulnerabilities per application.
Bolshev’s and Yushkevich’s research focused on testing software and hardware, using backend fuzzing and reverse engineering. In doing so, they uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code tampering.
Research found the top five security weaknesses were: Code tampering (94 percent of apps), insecure authorization (59 percent of apps), reverse engineering (53 percent of apps), insecure data storage (47 percent of apps) and insecure communication (38 percent of apps).
“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” said Bolshev. “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
“Developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems,” said Yushkevich. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”
“There is heightened awareness globally amongst hackers, researchers and companies. In turn, we’re seeing increased volumes and sophistication of security issues identified,” said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. “Against this rising awareness all parties are working hard to improve security and protect devices, networks and data. In the last four months alone we have alerted ICS-CERT to several Zero Day vulnerabilities so that the security of those devices improves. As more vulnerabilities and security issues are brought into the open a larger cyber security community is forming that is willing to share its expertise and knowledge with a common goal to identify, raise awareness, and provide solutions to cybersecurity challenges.”
Working on Fixes
IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.
The researchers gave some tips developers of mobile SCADA clients could take to further protect their applications and systems.
In the following list, the researchers gathered the most important items to consider when developing a mobile SCADA application:
• Always keep in mind that your application is a gateway to your ICS systems. This should influence all design decisions, including how you handle the inputs you will accept from the application and, more generally, anything that you will accept and send to your ICS system.
• Avoid all situations that could leave the SCADA operators in the dark or provide them with misleading information, from silent application crashes to full subverting of HMI projects.
• Follow best practices. Consider covering the OWASP Top 10, OWASP Mobile Top 10 2016, and the 24 Deadly Sins of Software Security.
• Do not forget to implement unit and functional tests for your application and the backend servers, to cover at a minimum the basic security features, such as authentication and authorization requirements.
• Enforce password/PIN validation to protect against threats U1-3. In addition, avoid storing any credentials on the device using unsafe mechanisms (such as in cleartext) and leverage robust and safe storing mechanisms already provided by the Android platform.
• Do not store any sensitive data on SD cards or similar partitions without ACLs at all costs. Such storage mediums cannot protect your sensitive data.
• Provide secrecy and integrity for all HMI project data. This can be achieved by using authenticated encryption and storing the encryption credentials in the secure Android storage, or by deriving the key securely, via a key derivation function (KDF), from the application password.
• Encrypt all communication using strong protocols, such as TLS 1.2 with elliptic curves key exchange and signatures and AEAD encryption schemes. Follow best practices, and keep updating your application as best practices evolve. Attacks always get better, and so should your application.
• Catch and handle exceptions carefully. If an error cannot be recovered, ensure the application notifies the user and quits gracefully. When logging exceptions, ensure no sensitive information is leaked to log files.
• If you are using Web Components in the application, think about preventing client-side injections (e.g., encrypt all communications, validate user input, etc.).
• Limit the permissions your application requires to the strict minimum.
• Implement obfuscation and anti-tampering protections in your application.
Security Not Improved
The researchers said growth of IoT in the era of “everything is connected” has not led to improved security for mobile SCADA applications. According to our results, more than 20 percent of the discovered issues allow attackers to directly misinform operators and/or directly/ indirectly influence the industrial process.
In 2015, the researchers said:
“SCADA and ICS come to the mobile world recently, but bring old approaches and weaknesses. Hopefully, due to the rapidly developing nature of mobile software, all these problems will soon be gone.”
We now concede that we were too optimistic and acknowledge that our previous statement was wrong, the researchers said.
Over the past few years, the number of incidents in SCADA systems has increased and the systems become more interesting for attackers every year, the researchers said. Furthermore, widespread implementation of the IoT/IIoT connects more and more mobile devices to ICS networks. Thus, the industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late.