Hackers Could Blow Up Factories Using Smartphone Apps

An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

Here's something to worry about

[schematix]

Security in automation controls is an absolute joke. In the world of Rockwell Automation (if you're not familiar, roughly 70% of the US automation market), with network access to a single device anywhere on the automation network, you can go in and upload an entire controller entire program and see the full source. Their only 'security' is easily bypassed by a program on sf. Once you have said program, there is nothing, literally nothing, from stopping you from changing the program logic to do whatever you want. If you like you can even make temporary 'test' changes until poop hits the fan, then cancel them, returning things to normal. There's no logging of any of these changes and no security to prevent you from doing it. This is scarier than Meltdown/Spectre and i'm utterly amazed we haven't seen more disasters due to the simplicity of access and modifying these systems.

Re:Only works on factories run by morons

[AHuxley]

Re Only hook something to the net if it must be hooked to the net to do its job.

But that would need more workers on site. They will fully unionize over the long shifts and demand a "living wage".
The idea of hooking something to the net was so one trusted engineer could do the jobs of many on site workers.
Without the internet local workers would have to be hired on site again and they will unionize.

Re Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick has been in a unit that is on the net.

That moron was the trusted engineer who found a memory stick on site and who was attempting to see who was walking out with company files.

Re Disable any wireless connectivity on systems you are not intentionally hooking to the net.

Why have a physical network all around a site when a wireless network will do? Thats some savings all over the site and the engineer has real time networking. No network to build in difficult places.

Re Do not hire anybody who would violate the preceding four rules.

But they have to be politically correct and virtue signal. The publicity photos have to have the correct optics.
Unskilled people who are not loyal to the USA have to be given jobs too. The federal gov knows if any company is not hiring the politically correct ratio of unskilled people.
A failed security clearance cannot stop an unskilled person for been considered equally for a job needing a security clearance.

The CEO's have a lot of things to consider. The needs of the engineer to keep the production line working. To stop their workforce from falling under the spell of a union again. To not waste profits when a wireless network is ok.
To hire the correct ratio of unskilled people to avoid the federal government for asking questions about hiring practices.
Security is just another consideration on a list of political and spending problems.

Re:no longer a threat

[rtb61]

Of course if you were going to be that destructive, much safer to drive around in a white diesel van with an PTO and an electromagnetic pulse generator and simply cause wide spread chaos on the move. Pretty hard to track you down, as all the tracking systems and agencies go down and you are only noticeable by the fact you are still moving, whilst everything else is coming to a halt with the damage and impact tied to the power output of your EMP device and how many kilometres you can travel with it pulsing away. Don't do this, it would be bad, seriously but you know where this is going been said again and again. When governments hack governments, the next step is EMP attacks, it is inevitable that it will escalate to this and you can bet corporations will attack corporations, billions at stake.

Re:Internet and intranet access should not mix

[AHuxley]

Re "Any data crossing between from internet to intranet should require red tape"
East Germany faced just that problem. One day a trusted member of staff walked out with a list of East Germany spies in other nations.
Before creating new trusted spy networks with new names something had to be done to prevent a list of spies ever walking out again.
Details about mission, the spy codename, the real identity got split up into very different physical files kept separated.
Nobody could every put the real name to the results of a mission without mountains of red tape to walk each file together and see a person's name linked to a mission.
East Germany then went digital.
Th East Germans thought it would be good to have a full list that could be accessed if spies had to be given new missions very quickly.
The CIA walked out with the list of all their spies.
The same was used for NSA compartmentalization until the political rush for private sector contractors resulted in walk outs.
The storing of some US gov/mil/contractors/workers information, clearance levels, past work, mission history, lifestyles in plain text on internet facing computers.
Political parties who have trusted staff walk unencrypted data to the waiting media.
So much is done to save time, for politics, for cost savings that later results in vast amounts of data walking.
No apps needed as everything is in plain text as thats how its been used everyday.

Actually it is hard to imagine

[thegarbz]

Any refinery or chemical plant that is even remotely complaint with HSE rules should have very limited exposure to anything the control system can do to cause a truly major incident.

Sure it is trivial to shut it down or trivial to do something like cause catalyst or product to go to where it shouldn't. But any scenario that could cause something like an explosion should be identified and protected by safety systems independent of control systems and unable to be directly controlled.

Even when you look at oil industry incidents recently you can see the majority of accidents are due to missmanagement or bypassing of safety barriers for abnormal reasons which aren't properly risk assessed.

This potential scenario is one of the reasons the TRITON / TRISIS malware we covered recently got so much interest, and likely one of the reasons why the attacker was attempting to modify the code in the safety system.

Re:FUD

While you're correct, I would point out that it *is* a direction which several separate things are actively *attempting* to move us towards.

On one side you've got businesses who will cut costs at any opportunity, and only ever keep the bare minimum of safety the law mandates - or lie about having it as we may recall with the BP spill among other incidents. The more that can be done from across the globe with the less workers possible, the better. As long as it can be someone else's fault when everything goes wrong, let the profits fly.

On another side you've also got the companies making and offering the various apps and hardware, most of whom adore planned obsolescence (France is going after Apple over this), and many of whom would love for you to be merely "renting the right to utilize" their stuff under increasingly arcane "terms of service". Like the first lot they're big on trying to deregulate the stuff that's keeping "blow your computer up from afar" from being allowed (right now that would mean you sold them disguised bombs and then triggered the detonators, which would make you terrorists).

After that you've got all those US agencies who salivate at the thought of kill-switches in cars, 'self-destructs' and all sorts of other additions to remote/control processes that anyone would have to be a colossal idiot - or gravely compromised - to ever think would be a good thing to implement. They also enjoy industrial espionage.

And then you've got these vague nebulous "hackers" who may simply be curious about the security or who may want to load the printing presses up with page upon page of their dick-pics. Or perhaps they're with the second side trying to set up a false-flag, or with the first bunch and trying to get insurance money.

Problem is, while it was complete fiction for a long time, and is still mostly just bull, it *is* critical to realize that there are a disturbing number of both groups and individuals for whom being able to explode computers from afar is not only a wonderful idea, but something to invest in ensuring. We need to make sure that this stuff stays bullshit, because