More SCADA app vulnerabilities found

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time.

But what happens if they don’t?

It’s something that must have researchers at security consultancies IOActive Labs and Embedi pulling out their hair, assuming they have any left.

Two years ago, they jointly found 50 weaknesses in the security of 20 mobile apps used by a plethora of SCADA Industrial Control Systems (ICS) sectors covering things like power, water, and manufacturing.

Not good news exactly, but at least the problems were public domain and that meant they’d be fixed.

Now a follow-up test of 34 ICS apps from Google Play has found that far from improving, things have got worse – this time they found 147 security vulnerabilities in apps and backend systems designed for the same job.

Classifying them using OWASP’s Top Ten Mobile risk categories, 32 of the 34 lacked root or code protection, 20 had poor authorisation, 20 implemented insecure data storage, and 18 lacked obfuscation to protect code from reverse engineering.

Less frequent but still serious issues included poor-quality coding (12), insecure communication (11), insufficient cryptography (8), and insecure authentication (6).

In addition, the team noticed that seven apps exposed vulnerabilities on backend servers, for example SQL injection or cross-site scripting (XSS). And:

One of the reviewed applications had write permissions for the tables, allowing an attacker to tamper with station configurations and user statistics.

Overall, in the period between the two tests, researchers saw an average increase of 1.6 vulnerabilities per application.

Clearly, there’s a problem, but what is it?

Perhaps the app boom has lowered standards in a sector that rewards clever functions, performance and rapid development. If so, these apps simply manifest the same sorts of slapdash development that have affected other app sectors such as remote banking.

If that’s the case – and it’s hard not to imagine that it might be in at least some cases – it’s short-termism of the worst kind.

Say IOActive and Embedi:

The industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late.

The researchers have informed the affected vendors of the problems in the apps.

You can understand why so many ICS companies want to offer customers the ability to access monitoring and control using a mobile app. But on this evidence, it looks as if they are solving their problem today at the expense of creating a bigger one down the line for everyone.