Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Could Blow Up Factories Using Smartphone Apps (technologyreview.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

10 of 125 comments (clear)

  1. FUD by Anonymous Coward · · Score: 5, Insightful

    Oh look, it's the hackers can bomb you with you own computer headline again.
    This time featuring smartphones and apps oh boy that changes everything!

    1. Re:FUD by Darinbob · · Score: 3, Insightful

      Why would any important system be controlled by a smartphone app anyway, that's just dumb. And why would these apps be put on Google Play for the public to see? No operator is going to use an app to control machinery, instead they're going to look at the dials, use an official computer on-site, and so forth. Maybe in the IT world the sysadmin works from home, but in any mission critical application the workers are always on site.

      Any apps used are likely for field service workers to get a quick update (what jobs are left to do, verify that changes are being propogated before packing up, etc). Even then, have you tried using a smartphone or tablet while wearing safety gloves?

      It would be nice to see some examples of the kind of apps that are being used this way in the article.

    2. Re:FUD by johnsie · · Score: 3, Informative

      Actually... I know of several energy companies whose generators and intake valves are controlled by PLCS. Those PLCs are on the same network as PCs (bad practice I know). Technically it would be possible for a hacker to use an infected computer as a stepping stone to controlling the valves and generators. This would let a hacker completely destroy the generator and a lot of equipment the generator is hooked up to.

  2. In the 1980's by AHuxley · · Score: 3, Funny

    Some nice fictional movie script could go like this:
    Someone preppy who is photogenic has a modem and a new computer.
    They had the phone number of their local power plant.
    They created a script to dial every extension and only keep the number of any phone number extension that responded to a modem.
    A day later they got a direct line to a modem in the power plant and could interact in computer ways with the local power company...
    Black helicopters, federal law enforcement in suits swarm the local town looking for the computer owner.
    In 2018 the movie has to have an app. The messages to and from the power plant are now are all on social media and have a pretty GUI.

    --
    Domestic spying is now "Benign Information Gathering"
  3. Here's something to worry about by schematix · · Score: 4, Interesting

    Security in automation controls is an absolute joke. In the world of Rockwell Automation (if you're not familiar, roughly 70% of the US automation market), with network access to a single device anywhere on the automation network, you can go in and upload an entire controller entire program and see the full source. Their only 'security' is easily bypassed by a program on sf. Once you have said program, there is nothing, literally nothing, from stopping you from changing the program logic to do whatever you want. If you like you can even make temporary 'test' changes until poop hits the fan, then cancel them, returning things to normal. There's no logging of any of these changes and no security to prevent you from doing it. This is scarier than Meltdown/Spectre and i'm utterly amazed we haven't seen more disasters due to the simplicity of access and modifying these systems.

    --
    Scott
  4. Re:Only works on factories run by morons by Reverend+Green · · Score: 4, Insightful

    Organizations that blame their security issues on "morons" are unlikely to develop an effective security posture.

  5. Re:no longer a threat by rtb61 · · Score: 3, Interesting

    Of course if you were going to be that destructive, much safer to drive around in a white diesel van with an PTO and an electromagnetic pulse generator and simply cause wide spread chaos on the move. Pretty hard to track you down, as all the tracking systems and agencies go down and you are only noticeable by the fact you are still moving, whilst everything else is coming to a halt with the damage and impact tied to the power output of your EMP device and how many kilometres you can travel with it pulsing away. Don't do this, it would be bad, seriously but you know where this is going been said again and again. When governments hack governments, the next step is EMP attacks, it is inevitable that it will escalate to this and you can bet corporations will attack corporations, billions at stake.

    --
    Chaos - everything, everywhere, everywhen
  6. Re:Internet and intranet access should not mix by AHuxley · · Score: 4, Interesting

    Re "Any data crossing between from internet to intranet should require red tape"
    East Germany faced just that problem. One day a trusted member of staff walked out with a list of East Germany spies in other nations.
    Before creating new trusted spy networks with new names something had to be done to prevent a list of spies ever walking out again.
    Details about mission, the spy codename, the real identity got split up into very different physical files kept separated.
    Nobody could every put the real name to the results of a mission without mountains of red tape to walk each file together and see a person's name linked to a mission.
    East Germany then went digital.
    Th East Germans thought it would be good to have a full list that could be accessed if spies had to be given new missions very quickly.
    The CIA walked out with the list of all their spies.
    The same was used for NSA compartmentalization until the political rush for private sector contractors resulted in walk outs.
    The storing of some US gov/mil/contractors/workers information, clearance levels, past work, mission history, lifestyles in plain text on internet facing computers.
    Political parties who have trusted staff walk unencrypted data to the waiting media.
    So much is done to save time, for politics, for cost savings that later results in vast amounts of data walking.
    No apps needed as everything is in plain text as thats how its been used everyday.

    --
    Domestic spying is now "Benign Information Gathering"
  7. Actually it is hard to imagine by thegarbz · · Score: 3, Interesting

    Any refinery or chemical plant that is even remotely complaint with HSE rules should have very limited exposure to anything the control system can do to cause a truly major incident.

    Sure it is trivial to shut it down or trivial to do something like cause catalyst or product to go to where it shouldn't. But any scenario that could cause something like an explosion should be identified and protected by safety systems independent of control systems and unable to be directly controlled.

    Even when you look at oil industry incidents recently you can see the majority of accidents are due to missmanagement or bypassing of safety barriers for abnormal reasons which aren't properly risk assessed.

    This potential scenario is one of the reasons the TRITON / TRISIS malware we covered recently got so much interest, and likely one of the reasons why the attacker was attempting to modify the code in the safety system.

  8. Re:oh no! you stopped the conveyor line~ by nnull · · Score: 3, Insightful

    For more automated plants, shutting down anything can be quite catastrophic. Bottling lines, injection molders, cnc shops. How are they going to do all this stuff manually? And sabotaging steel mills has absolutely disastrous consequences. All this can cost millions for even just a couple days down time. I know in my plant, I would have to basically send everyone home as there would be nothing for anyone to do. Doing things manually is no longer an option in many places.