Hackers Could Blow Up Factories Using Smartphone Apps

An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

FUD

Oh look, it's the hackers can bomb you with you own computer headline again.
This time featuring smartphones and apps oh boy that changes everything!

Re:FUD

[Darinbob]

Why would any important system be controlled by a smartphone app anyway, that's just dumb. And why would these apps be put on Google Play for the public to see? No operator is going to use an app to control machinery, instead they're going to look at the dials, use an official computer on-site, and so forth. Maybe in the IT world the sysadmin works from home, but in any mission critical application the workers are always on site.

Any apps used are likely for field service workers to get a quick update (what jobs are left to do, verify that changes are being propogated before packing up, etc). Even then, have you tried using a smartphone or tablet while wearing safety gloves?

It would be nice to see some examples of the kind of apps that are being used this way in the article.

Re:FUD

[TheDarkMaster]

Yep, FUD. Any half-engineer puts electrical and mechanical limits to prevent multi-million dollar equipment to do things that they should not, even when the electronics (the computer) try to give orders to do so. This is the fault of those ridiculous hollywood movies that try to pass the retarded idea that a scriptkiddie with a computer can control anything.

Re:Only works on factories run by morons

[Reverend+Green]

Organizations that blame their security issues on "morons" are unlikely to develop an effective security posture.

no longer a threat

[Reverend+Green]

Phewww - that was close! But thanks to the diligent bi-partisan efforts of our legislators and the brilliant patriotic leadership of our businesspersons, the United States is safe from this threat. We have no factories left for anyone to blow up.

Re:oh no! you stopped the conveyor line~

[nnull]

For more automated plants, shutting down anything can be quite catastrophic. Bottling lines, injection molders, cnc shops. How are they going to do all this stuff manually? And sabotaging steel mills has absolutely disastrous consequences. All this can cost millions for even just a couple days down time. I know in my plant, I would have to basically send everyone home as there would be nothing for anyone to do. Doing things manually is no longer an option in many places.