This post is also available in: עברית (Hebrew)
Mobile apps often serve for monitoring and managing machines, and even entire industrial processes. However, the combination of apps and industrial control systems makes them target for cyber attacks, as hackers might exploit the flaws to destroy machines — and potentially entire factories.
A recently published research checked the extent of these vulnerabilities. Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, examined 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Only two of the 34 apps had no security halls at all.
Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it’s linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it’s overheating, according to technologyreview.com.
Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It’s not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery.
Bolshev says this combination of apps and industrial control systems is “a very dangerous and vulnerable cocktail,” though he stresses that the risk will vary widely. Some companies may have multiple fail-safe systems that limit potential damage. They may also insist that engineers rely on several data sources for a machine rather a single reading from an app.
Yet there’s evidence hackers have already been able to evade broader defenses around manufacturing facilities.
Connected power plants and transport systems could also be vulnerable to such attacks.
The researchers say they haven’t looked at whether any of the flaws have actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.