Hackers Could Blow Up Factories Using Smartphone Apps

mercurial

MyBB Legend
Joined
Jun 12, 2007
Messages
37,870
#1
Hackers Could Blow Up Factories Using Smartphone Apps

Many companies let workers monitor and manage machines—and sometimes entire industrial processes—via mobile apps. The apps promise efficiency gains, but they also create targets for cyberattacks. At worst, hackers could exploit the flaws to destroy machines—and potentially entire factories.

Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all.

Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it’s linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it’s overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It’s not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery.

Bolshev says this combination of apps and industrial control systems is “a very dangerous and vulnerable cocktail,” though he stresses that the risk will vary widely. Some companies may have multiple fail-safe systems that limit potential damage. They may also insist that engineers rely on several data sources for a machine rather a single reading from an app.

That’s not totally reassuring, however, because there’s evidence hackers have already been able to evade broader defenses around manufacturing facilities (see “A New Industrial Hack Highlights the Cyber Holes in Our Infrastructure”). And the risks extend to other areas; power plants and transport systems are also being hooked up to the Internet. Mobile apps could prove weak points here too.

The researchers say they haven’t looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

Beau Woods, cyber-safety innovation fellow at the Atlantic Council, says there’s a dilemma for businesses. “The last thing you want in an emergency,” he says, “is for operators to be locked out of a critical system, so they’re designed to be accessible in multiple ways,” such as via mobile apps. “But adding this connectivity also adds exposure to the bad guys.”
 

envo

Expert Member
Joined
Jan 14, 2014
Messages
2,776
#2
Wait. So as a company, you decide to add monitoring software to your production line/process for your employees to keep track of it and maybe even administer some stuff through it... and then you expose that to the internet using Playstore? And make it so that it can be accessed remotely from outside of your local network?

Dumb. as. ****.
 

phaktza

Executive Member
Joined
Jun 29, 2008
Messages
6,990
#3
Wait. So as a company, you decide to add monitoring software to your production line/process for your employees to keep track of it and maybe even administer some stuff through it... and then you expose that to the internet using Playstore? And make it so that it can be accessed remotely from outside of your local network?

Dumb. as. ****.
Easiest thing is to lock down the MAC addresses and keep out the riff raff (and Daesh).
 

evilstebunny

Honorary Master
Joined
Dec 20, 2007
Messages
18,825
#4
Blow up? Only if you've provided explosives, say for example during the installation of a self-destruct facility..
 

Lord Farquart

Expert Member
Joined
Nov 27, 2012
Messages
4,427
#5
Wait. So as a company, you decide to add monitoring software to your production line/process for your employees to keep track of it and maybe even administer some stuff through it... and then you expose that to the internet using Playstore? And make it so that it can be accessed remotely from outside of your local network?

Dumb. as. ****.
Nope. Dumb. as. reporting and article. I do this for a living. At best people are allowed to view the plant status performance via an app or web browser. Dumbass if you allow control, yes, but we don't.

As for tricking someone to believe the temperature is normal when it is not, it would maybe raise the stress levels of the viewer, but the PLC will still see the correct temperature and act according to the hard-coded alarm set points.

Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi obviously knows about hacking opportunities, but have no idea of PL:C and SCADA coding and securities.

Go read up on Stuxnet if you want to know how to do it properly. There was a movie loosely based on it too. This article has too many holes in it.
 

FaSMaN

Expert Member
Joined
Mar 24, 2010
Messages
1,488
#6
I am going to call shenanigans on this one, what company in their right mind, run their scada system off of normal wifi?

Wifi should allways be completely isolated from critical network assets.
 
Top