Hackers Could Blow Up Factories Using Smartphone Apps

An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

FUD

Oh look, it's the hackers can bomb you with you own computer headline again.
This time featuring smartphones and apps oh boy that changes everything!

Re:FUD

[hey!]

Well, factories are full of stuff that can kill people and controlling those things with something an operator might treat as a personal device certainly increases the attack surface.

So maybe we're not talking about new possibilities here, but we may be talking about a new set of probabilities.

Re:FUD

[Darinbob]

Why would any important system be controlled by a smartphone app anyway, that's just dumb. And why would these apps be put on Google Play for the public to see? No operator is going to use an app to control machinery, instead they're going to look at the dials, use an official computer on-site, and so forth. Maybe in the IT world the sysadmin works from home, but in any mission critical application the workers are always on site.

Any apps used are likely for field service workers to get a quick update (what jobs are left to do, verify that changes are being propogated before packing up, etc). Even then, have you tried using a smartphone or tablet while wearing safety gloves?

It would be nice to see some examples of the kind of apps that are being used this way in the article.

Re:FUD

[johnsie]

Actually... I know of several energy companies whose generators and intake valves are controlled by PLCS. Those PLCs are on the same network as PCs (bad practice I know). Technically it would be possible for a hacker to use an infected computer as a stepping stone to controlling the valves and generators. This would let a hacker completely destroy the generator and a lot of equipment the generator is hooked up to.

Re:FUD

[thegarbz]

Factories are full of stuff that can kill people, and preventing them from killing people has nothing to do with controlling them, and everything to do with independent safety mechanisms.

Any modern plant maintained to any HSE or OSHA minimum standards would allow the control system to do whatever the hell it wants without blowing something up or killing anyone.

Sure there's a shutdown risk, but the major risks should be controlled in a way independent of something someone at a console could do.

Re:FUD

While you're correct, I would point out that it *is* a direction which several separate things are actively *attempting* to move us towards.

On one side you've got businesses who will cut costs at any opportunity, and only ever keep the bare minimum of safety the law mandates - or lie about having it as we may recall with the BP spill among other incidents. The more that can be done from across the globe with the less workers possible, the better. As long as it can be someone else's fault when everything goes wrong, let the profits fly.

On another side you've also got the companies making and offering the various apps and hardware, most of whom adore planned obsolescence (France is going after Apple over this), and many of whom would love for you to be merely "renting the right to utilize" their stuff under increasingly arcane "terms of service". Like the first lot they're big on trying to deregulate the stuff that's keeping "blow your computer up from afar" from being allowed (right now that would mean you sold them disguised bombs and then triggered the detonators, which would make you terrorists).

After that you've got all those US agencies who salivate at the thought of kill-switches in cars, 'self-destructs' and all sorts of other additions to remote/control processes that anyone would have to be a colossal idiot - or gravely compromised - to ever think would be a good thing to implement. They also enjoy industrial espionage.

And then you've got these vague nebulous "hackers" who may simply be curious about the security or who may want to load the printing presses up with page upon page of their dick-pics. Or perhaps they're with the second side trying to set up a false-flag, or with the first bunch and trying to get insurance money.

Problem is, while it was complete fiction for a long time, and is still mostly just bull, it *is* critical to realize that there are a disturbing number of both groups and individuals for whom being able to explode computers from afar is not only a wonderful idea, but something to invest in ensuring. We need to make sure that this stuff stays bullshit, because

Re:FUD

[Bob+the+Super+Hamste]

You would be surprised at the dumb shit I have seen in dealing with securing similar systems. Yes it is layer upon layer of security measures, or it should be. But far too often someone forgets about that ancient tape changer in storage room b-37 that is still connected, or some PHB decides that they want to be able to check in on machines and shut them down from their cellphone while at home.

One of the problems with ICS systems and others like them is that they assume that the operator knows what they are doing as most of the time the people who are running these things do. The problem occurs when someone who isn't competent, or is malicious wants to do something else. Here the system may warn them before but will let them do it anyway, unless it was a known bad configuration when initially programed but this often is far too big of a state space to program for. Yes there are mechanical limits put on the machine but that doesn't mean it isn't possible to create an unsafe set of settings as was done with the aurora generator test where it was brought out of phase with the rest of the grid. Under normal operation that would have been impossible but by toggling things correctly it became possible to bring it out of phase. This took a bunch of very smart people to figure out the right sequence of events so while it isn't something that could be done easily it could be and with cellphone apps becomes more likely. That said of all the things to worry about this is very low on the list, unless it is your job, and instead would worry more about squirrels.

Also you seem to have forgotten about the whole Stuxnet incident and other related and similar attacks. All of which were able to abuse equipment. Of course there was the attack against the Ukrainian power grid a little more than 2 years ago too. So I stand by my statement that very often this is overblown in the media who love spreading FUD, there is a nugget of truth hidden there and people who have to deal with these systems need to pay attention.

Re:FUD

[nnull]

I don't know. But go to anyone hosting conferences for Siemens, Rockwell, etc. The big talk is about having things controlled with your smartphone app and being able to upload changes while sitting on a beach. Try to mention anything about the dangers of such a system and you get talked down too.

Blow up an oil refinery?

OK let's say you have enough knowledge to do this remotely. Even if you can manipulate process automation through a smartphone app, it's a sure bet you can't change most of the limits or permissives. There are specific reasons why process and power are designed to prevent this and covered by ASME or API codes. It's not random or arbitrary design. And while there are industrial accidents they are usually a chain of multiple failures or unforeseen problems in the design no one anticipated.

This article is FUD. You may be able to trip the plant or shut down production, but unlikely to cause a malfunction that results in a catastrophe.

A few people shot out some PG&E transformer oil reservoirs in California a while back. It tripped the substation, and PG&E routed around it. That is more likely than a hacker gaining enough knowledge to cause damage remotely.

Only works on factories run by morons

1st rule of internet security: Only hook something to the net if it must be hooked to the net to do its job.
2nd rule of internet security: If a system is hooked to the net to allow monitoring, make it only capable of transmitting onto the net, and not recieving from the net.
3rd rule of internet security: Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick has been in a unit that is on the net.
4th rule of internet security: Disable any wireless connectivity on systems you are not intentionally hooking to the net.
5th rule of internet security: Do not hire anybody who would violate the preceeding four rules.

If your CEO is a moron he/she will make it less than a fireable offense to violate any of the above, and then your company deserves to have its factories explode.

Re:Only works on factories run by morons

[Reverend+Green]

Organizations that blame their security issues on "morons" are unlikely to develop an effective security posture.

Re:Only works on factories run by morons

[AHuxley]

Re Only hook something to the net if it must be hooked to the net to do its job.

But that would need more workers on site. They will fully unionize over the long shifts and demand a "living wage".
The idea of hooking something to the net was so one trusted engineer could do the jobs of many on site workers.
Without the internet local workers would have to be hired on site again and they will unionize.

Re Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick has been in a unit that is on the net.

That moron was the trusted engineer who found a memory stick on site and who was attempting to see who was walking out with company files.

Re Disable any wireless connectivity on systems you are not intentionally hooking to the net.

Why have a physical network all around a site when a wireless network will do? Thats some savings all over the site and the engineer has real time networking. No network to build in difficult places.

Re Do not hire anybody who would violate the preceding four rules.

But they have to be politically correct and virtue signal. The publicity photos have to have the correct optics.
Unskilled people who are not loyal to the USA have to be given jobs too. The federal gov knows if any company is not hiring the politically correct ratio of unskilled people.
A failed security clearance cannot stop an unskilled person for been considered equally for a job needing a security clearance.

The CEO's have a lot of things to consider. The needs of the engineer to keep the production line working. To stop their workforce from falling under the spell of a union again. To not waste profits when a wireless network is ok.
To hire the correct ratio of unskilled people to avoid the federal government for asking questions about hiring practices.
Security is just another consideration on a list of political and spending problems.

Re:Only works on factories run by morons

[Darinbob]

By "moron" this means the people creating the security procedures, or the workers who refused to take the proper training. The solution is to fire those workers. Ie, the poster did not mean you should blame the workers who are morons, but meant that essentially no company is being this stupid unless it's actually being run by morons. In that case, you can blame the morons who are running the company.

In the 1980's

[AHuxley]

Some nice fictional movie script could go like this:
Someone preppy who is photogenic has a modem and a new computer.
They had the phone number of their local power plant.
They created a script to dial every extension and only keep the number of any phone number extension that responded to a modem.
A day later they got a direct line to a modem in the power plant and could interact in computer ways with the local power company...
Black helicopters, federal law enforcement in suits swarm the local town looking for the computer owner.
In 2018 the movie has to have an app. The messages to and from the power plant are now are all on social media and have a pretty GUI.

Here's something to worry about

[schematix]

Security in automation controls is an absolute joke. In the world of Rockwell Automation (if you're not familiar, roughly 70% of the US automation market), with network access to a single device anywhere on the automation network, you can go in and upload an entire controller entire program and see the full source. Their only 'security' is easily bypassed by a program on sf. Once you have said program, there is nothing, literally nothing, from stopping you from changing the program logic to do whatever you want. If you like you can even make temporary 'test' changes until poop hits the fan, then cancel them, returning things to normal. There's no logging of any of these changes and no security to prevent you from doing it. This is scarier than Meltdown/Spectre and i'm utterly amazed we haven't seen more disasters due to the simplicity of access and modifying these systems.

Re: Here's something to worry about

[schematix]

Most of these systems are highly networked. Frequently they are linked to business networks for data collection. It's usually only 1 or 2 hops off the general internet. A system I am very familiar with has publicly routable IPv4 IP addresses going into the main control rack for all of their process systems. The only thing preventing access is a firewall. But even then, if you get into the business network, its all wide open. Don't get me wrong, there is a lot of security, but it's also connected and one hop away from being wide open.

Re: Here's something to worry about

[rkordmaa]

Yeah... that factory is just an operator looking at pornsite away from shutdown, hard lesson to learn, but you'll cut the cord when it happens, restore the machines and continue. Its not the hacker you need to fear, but just the regular old viruses that try to sell you penile enlargement pills and crash everything while they are at it.
Question, when did you last stop the production in order to apply windows updates? What's that I hear, never in the last 10 years?

Internet and intranet access should not mix

[Pinky's+Brain]

If you allow remote access to factory systems with anything else but special purpose laptops with hardware VPN and zero Internet access, you're doing it wrong. Any data crossing between from internet to intranet should require red tape, any software mountains of red tape (all on physically archived paper). Any data from intranet to internet should be across busses verified to be strictly unidirectional (ie. not tcp/ip with some ungodly complex stack written in C).

Almost everyone is doing it wrong ... the only place you should BYOD is the unemployment line.

Re:Internet and intranet access should not mix

[AHuxley]

Re "Any data crossing between from internet to intranet should require red tape"
East Germany faced just that problem. One day a trusted member of staff walked out with a list of East Germany spies in other nations.
Before creating new trusted spy networks with new names something had to be done to prevent a list of spies ever walking out again.
Details about mission, the spy codename, the real identity got split up into very different physical files kept separated.
Nobody could every put the real name to the results of a mission without mountains of red tape to walk each file together and see a person's name linked to a mission.
East Germany then went digital.
Th East Germans thought it would be good to have a full list that could be accessed if spies had to be given new missions very quickly.
The CIA walked out with the list of all their spies.
The same was used for NSA compartmentalization until the political rush for private sector contractors resulted in walk outs.
The storing of some US gov/mil/contractors/workers information, clearance levels, past work, mission history, lifestyles in plain text on internet facing computers.
Political parties who have trusted staff walk unencrypted data to the waiting media.
So much is done to save time, for politics, for cost savings that later results in vast amounts of data walking.
No apps needed as everything is in plain text as thats how its been used everyday.

Exploit them

[Gravis+Zero]

The only way we are going to see any change in the industry is if it starts costing them money because simply continually cleaning up the messes of careless companies isn't going to change their attitude toward security. The reality is that you are actually enabling them to continue on with their poor security practices.

Re:no longer a threat

[rtb61]

Of course if you were going to be that destructive, much safer to drive around in a white diesel van with an PTO and an electromagnetic pulse generator and simply cause wide spread chaos on the move. Pretty hard to track you down, as all the tracking systems and agencies go down and you are only noticeable by the fact you are still moving, whilst everything else is coming to a halt with the damage and impact tied to the power output of your EMP device and how many kilometres you can travel with it pulsing away. Don't do this, it would be bad, seriously but you know where this is going been said again and again. When governments hack governments, the next step is EMP attacks, it is inevitable that it will escalate to this and you can bet corporations will attack corporations, billions at stake.

Re:Security researchers, Ivan Yaganoff & Ima C

[PopeRatzo]

Damn Slashdot stepped on my joke. The subject line of my above comment was supposed to be,

Two security researchers, Ivan Yaganoff and Ima Chirkoff

Actually it is hard to imagine

[thegarbz]

Any refinery or chemical plant that is even remotely complaint with HSE rules should have very limited exposure to anything the control system can do to cause a truly major incident.

Sure it is trivial to shut it down or trivial to do something like cause catalyst or product to go to where it shouldn't. But any scenario that could cause something like an explosion should be identified and protected by safety systems independent of control systems and unable to be directly controlled.

Even when you look at oil industry incidents recently you can see the majority of accidents are due to missmanagement or bypassing of safety barriers for abnormal reasons which aren't properly risk assessed.

This potential scenario is one of the reasons the TRITON / TRISIS malware we covered recently got so much interest, and likely one of the reasons why the attacker was attempting to modify the code in the safety system.

Re:oh no! you stopped the conveyor line~

[nnull]

For more automated plants, shutting down anything can be quite catastrophic. Bottling lines, injection molders, cnc shops. How are they going to do all this stuff manually? And sabotaging steel mills has absolutely disastrous consequences. All this can cost millions for even just a couple days down time. I know in my plant, I would have to basically send everyone home as there would be nothing for anyone to do. Doing things manually is no longer an option in many places.

Re:no setpoint access / they won't trust you

[nnull]

Or you can just get the Teamviewer ID and password because the vast majority of tech support by major machine manufacturers and/or integrators use Teamviewer and a vast majority of them use the same password.

Re:HAS SCIENCE GONE TOO FAR???

[nnull]

There are going to be far more connecting industrial equipment. Data acquisition is a big factor in this, which I don't see a problem with. Interconnecting multiple pieces of equipment to form one line is another. However, lately there is a big push by big name companies like Siemens pushing remote access to your equipment from the beach and being able to "fix" mistakes from said beach. All the Siemens engineers are quite proud of this feature at these conferences, that you can change the functionality of an equipment thousands of miles away without even knowing what the hell it's doing physically, like maybe squishing one of those poor workers that's around it. I find that more concerning than worrying about someone trying to blow up a plant.

Morons are too clever

[sjbe]

3rd rule of internet security: Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick has been in a unit that is on the net.

Not possible. If you don't want a memory stick plugged in then you will have to physically remove access. Even smart people with the best of intentions make mistakes or sometimes are duped.

4th rule of internet security: Disable any wireless connectivity on systems you are not intentionally hooking to the net.

Wireless (and wired) connectivity systems should be disabled by default and require positive action to enable. End users should not have the rights to enable this functionality.

5th rule of internet security: Do not hire anybody who would violate the preceeding four rules.

And how do you propose to identify these people ahead of time since they don't carry Bill Engvall I'm stupid signs.

Re: no longer a threat

[l20502]

I'd say cars stopping all around the truck and trapping it/blocking streets would quickly end this plan.

Have you never heard of SCADA or Project Aurora

SCADA (process control) networks have long been known to have vulnerabilities that can be exploited in the real world. Further, project Aurora proved you could cause a generator to explode with the proper SCADA inputs. Just because they are front ending the mess with apps doesn't change anything.

Don't they follow the '2 mechanical backups"...

rule. When I was working with high voltage semiconductor equipment, the rule was that there
had to be 2 electromechanical (i.e. not computer controlled) backup systems to 'safe' things
before they could be accessed. Seemed sensible to me. Is this not followed anymore?