Instrumentation March 2018

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

DATA ACQUISITION FEATURE Major security vulnerabilities in mobile SCADA applications

Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi, have released a report detailing security vulnerabilities in SCADA applications that could allow attackers to disrupt industrial processes

N

ew research has outlined 147 cybersecurity vulnerabilities found in 34 mobile

applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems. According to the report, “SCADA and Mobile Security in the Internet of Things Era”, if the mobile application vulnerabilities identified are exploited, an attacker could disrupt an industrial process or compromise industrial network infrastructure, or cause a SCADA operator to unintentionally perform a harmful action on the system. The 34 mobile applications tested were randomly selected from the Google Play Store. “This new vulnerability report proceeds

original research conducted by Alex and Ivan two years ago, where 20 mobile applications were tested,” says Jason Larsen, principal security consultant at IOActive. “At the time, there just weren’t as many SCADA applications on the market. This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on SCADA systems that operate industrial control

systems. The key takeaway for developers is that security MUST be baked in from the start - it saves time, money, and ultimately helps protect the brand.” The original research was conducted

at Black Hat in 2015 and found a total of 50 issues in 20 mobile applications that were analysed. In 2017, they found a staggering 147 issues in the 34 applications selected for this research report. This represents an average increase of 1.6 vulnerabilities per application. Bolshev’s and Yushkevich’s research focused on testing software and hardware, using backend fuzzing and reverse engineering. In doing so, they successfully uncovered security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code tampering. Specifically, the research revealed the top five security weaknesses were: code tampering (94 per cent of apps); insecure authorisation (59 per cent of apps); reverse engineering (53 per cent of apps); insecure data storage (47 per cent of apps); and insecure communication (38 per cent of apps). “The flaws we found were shocking, and are

evidence that mobile applications are being developed and used without any thought to security,” says Bolshev. “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.” “Developers need to keep in mind that

applications like these are basically gateways to mission critical ICS systems,” adds Yushkevich. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.” IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.

IOActive Embedi

www.ioactive.com embedi.com

Extremely rugged, powerful, distributed and IP67 rated Data Logger

-40°C to 85°C Support for any sensor

Sample rate up to 20 kHz per channel

Shock & vibration up to 100 g

sales.uk@dewesoft.com +44 1234 381 261 www.dewesoft.com  INSTRUMENTATION | MARCH 2018 23

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32 | Page 33 | Page 34 | Page 35 | Page 36 | Page 37 | Page 38 | Page 39 | Page 40 | Page 41 | Page 42 | Page 43 | Page 44 | Page 45 | Page 46 | Page 47 | Page 48 | Page 49 | Page 50 | Page 51 | Page 52