If it’s good enough for your lightbulbs, it’s good enough for nuclear centrifuges. Right?
In the movie Jurassic Park, Dr. Ian Malcolm (played by Jeff Goldblum) has a memorable quote: “Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”
While Dr. Malcolm was talking about cloning dinosaurs for entertainment, not about connecting billions of frequently insecure and difficult to upgrade devices to the Internet and then bridging access to mobile devices, the quote seems relevant here as well.
Whenever people write code, they also create bugs. Combined with cheap embedded hardware like the ESP8266 that can network devices easily on existing public networks, we now have drones that spread worms across networks of lightbulbs, thermostats that can spy on you, refrigerators that send (email) spam, and who knows what will happen when more toilets are connected to the Internet. (Disclosure: I am ashamed to admit the toilet was my fault. Sorry.)
These are all attacks on residential devices, however commercial and industrial devices have the same problems. Targeted attacks against hardware aren’t limited to nation-state level actors; worms that spread across networked power distribution devices have existed since at least 2009. Shodan scans targeting IoT devices regularly find SCADA systems.
Common recommendations for securing general purpose and industrial IoT (IIoT) devices include limiting access to networks, especially those that have devices that assume this and as a result don’t use encryption; ensuring devices have up-to-date firmware and strong passwords; and being careful using devices with cloud services. But what happens when those cloud services are inseparably integrated, with the endpoint of a mobile device – a general purpose computing device running its own code in an environment much easier for an attacker to manipulate?
A recent report by researchers from Embedi and IOActive paints a bleak picture about security in industrial control systems (ICSes) connected to mobile devices. In an analysis of ICS applications two years earlier, researchers made the guess that “due to the rapidly developing nature of mobile software, all these problems will soon be gone.” Now with more than 20% of the almost 150 vulnerabilities they discovered from a random sampling of apps leading to attacks that could influence an industrial process or present operators with bad information, they’ve conceded that they were wrong, and their previous guess was too optimistic.
In the report, the authors connect the discovered vulnerabilities to the OWASP Top Ten mobile risks and include one additional category for backend software bugs. These aren’t new problems, and are documented well enough to have a large volume of detailed information, analysis, and recommendations publicly available to any developer interested in learning more.
With many BYOD and COPE devices on company networks, the attack surface is much larger than traditional networks that may be isolated from the public Internet. Devices may be unpatched due to no patch existing from the carrier or manufacturer, may have vulnerable or otherwise risky apps contributing to device insecurity, or may have apps that send sensitive data to questionable sites on the Internet.
Inclusion of an additional category for backend software bugs in the report is also notable, since it reflects the reality of how mobile apps work. Rarely functional on their own, these mobile apps are interfaces to larger backend infrastructures, acting as sensors to collect, send, and display data. Security analysis of the backend infrastructure can be more difficult than app analysis, since an attacker doesn’t have direct access to the infrastructure to control and modify the systems as they would the app itself. Findings of vulnerabilities like these are in line with other research, such as the discovery of a family of apps by a global manufacturer of agricultural machinery, where the HospitalGown unsecured backend vulnerability revealed sensor readings, telemetry, and detailed operational data for large agricultural equipment.
Fortunately, enterprises can detect these threats, whether in their own control software or in apps used as part of their business, by using a mobile threat defense (MTD) solution. Behaviors described in the OWASP Mobile Top 10 risks, such as insecure communication, code tampering, and extraneous functionality, can be detected and remediated by app removal or by quarantining a device by limiting it to an untrusted network. Man in the Middle (MITM) protection will prevent attackers from tampering with data going to and from mobile control apps, blocking those apps from being used as a bridge from public to trusted control networks.
Although no solution will be as effective as maintaining strictly air gapped networks (and that doesn’t guarantee security, either), strong proactive risk analysis of app, network, and device security can go a long way towards preventing hacks with consequences in the physical world. Fortunately for us, mobile threat defense is easier than defending against angry velociraptors.