Many SCADA Mobile Apps Lack Security by Design
A lack of understanding of the importance of building security into mobile applications from the design stages has contributed to hundreds of vulnerabilities in mobile SCADA applications that could allow attackers to directly misinform operators or influence the industrial process, according to recent research by two cybersecurity professionals.
Some of the most troubling vulnerabilities, according to Alexander Bolshev, security consultant with IOActive, a Seattle-based information security services firm, include those presented by insecure data storage and applications that do not properly configure or use secure communications.
This is partly due to the lack of knowledge on the part of industrial control systems vendors in developing mobile applications, something that has them looking to third-party consultants for help, he said. In some cases, those consultants treat SCADA mobile application development in the same manner as consumer application development.
“They don’t understand how important the security is for this area,” he said.
Testing and analysis in the recently released white paper, “SCADA and Mobile Security in the Internet of Things Era,” is based on OWASP Mobile Top 10 2016, the top 10 mobile risks collected by the Open Web Application Security Project. It is a follow-up to research conducted two years ago by Bolshev and Ivan Yushkevich, information security auditor for Embedi, where the friends looked at the then-nascent market for mobile applications for supervisory control and data acquisition systems. The researchers looked at 20 Android-based applications then, and found 50 issues.
“To our surprise, the vulnerability rate has increased over time,” Bolshev said. “We found 147 issues in 34 applications.”
Among the most troubling were those vulnerabilities related to data storage and insecure communication, according to Bolshev. Some 47 percent of the applications reviewed were storing data on an SD card (external) or on the virtual (emulated) storage partition. As a side effect, these applications inherited the weaknesses of the file systems used by these storage devices, as they have no proper access control lists or permission mechanisms implemented, according to the white paper.
“In other words, if the application has the privileges to read/write to this device, it has full access to other data stored on the same device by other applications,” the researchers wrote.
In turn, more than one-third of the applications analyzed did not properly configure or use secure communications. The most common issue identified was related to the lack of transport layer security certificate validation, according to the white paper.
“We found that no checks were performed by the applications to ensure that they were communicating with the genuine backend and not a rogue backend server,” the authors wrote.
In addition to the well-known recommendations covering the OWASP Top 10 and the OWASP Mobile Top 10 2016 risks, the researchers recommended several actions that could be taken by developers of mobile SCADA clients, including not storing sensitive data on SD cards or similar partitions without access control lists.
“The industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late,” the researchers wrote.