Industrial networks threatened by mobile app vulnerabilities
Industrial network infrastructures are being put at risk by cyber security vulnerabilities in mobile applications, according to a new report.
The paper, entitled ‘SCADA and Mobile Security in the Internet of Things Era’, has been produced by Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi.
According to the authors, the 147 cyber security vulnerabilities found in 34 mobile applications are used in tandem with supervisory control and data acquisition (SCADA) systems.
They found that if the mobile app vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure. It would also be possible to cause a SCADA operator to unintentionally perform a harmful action on the system.
Jason Larsen, principal security consultant at IOActive, said the report emphasises that mobile apps are increasingly “riddled with vulnerabilities”, which could have severe consequences on SCADA systems that operate industrial control systems.
He added that developers must include security from the beginning, as it will save time and money as well as keep the brand protected.
The new research focused on testing software and hardware, and uncovered security vulnerabilities ranging from insecure data storage and insecure communication, to insecure cryptography and code tampering.
Specifically, it found that the top five security weaknesses were code tampering (94 per cent of apps), insecure authorisation (59 per cent), reverse engineering (53 per cent), insecure data storage (47 per cent) and insecure communication (38 per cent).
Mr Bolshev said: “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target industrial control system (ICS) control applications either.
“If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.