Industrial network infrastructures are being put at risk by cyber security vulnerabilities in mobile applications, according to a new report.
The paper, entitled ‘SCADA and Mobile Security in the Internet of Things Era’, has been produced by Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi.
According to the authors, the 147 cyber security vulnerabilities found in 34 mobile applications are used in tandem with supervisory control and data acquisition (SCADA) systems.
They found that if the mobile app vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure. It would also be possible to cause a SCADA operator to unintentionally perform a harmful action on the system.
Jason Larsen, principal security consultant at IOActive, said the report emphasises that mobile apps are increasingly “riddled with vulnerabilities”, which could have severe consequences on SCADA systems that operate industrial control systems.
He added that developers must include security from the beginning, as it will save time and money as well as keep the brand protected.
The new research focused on testing software and hardware, and uncovered security vulnerabilities ranging from insecure data storage and insecure communication, to insecure cryptography and code tampering.
Specifically, it found that the top five security weaknesses were code tampering (94 per cent of apps), insecure authorisation (59 per cent), reverse engineering (53 per cent), insecure data storage (47 per cent) and insecure communication (38 per cent).
Mr Bolshev said: “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target industrial control system (ICS) control applications either.
“If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”