I was talking a while ago to Justin Engler, a friend who also happens to be a really talented web app and mobile app security researcher, about the popping-up of ICS management software for mobile devices. He theorized that mobile apps for ICS would be an interesting place to watch for bugs nearly three years ago. Dale’s recent ICSJWG Q&A over mobile device security gave me a little motivation to dig into some sample apps and see how the field actually looks. The results highlight some of the issues that your organization will run into if and when you decide to adopt mobile.
The focus of this post is not just application security. While there are a few specific vulnerable applications mentioned, I think that the big lessons should be ones of architecture and integration challenges. The current lot of ICS management apps pay little mind to securing access or preventing bad operation. Even an app with ‘secure’ on its product homepage may leave you wide open.
I decided to pick on Android simply because my only jailbroken iOS device at the moment is so terribly destroyed from years of abuse that installing new apps is a nonstarter. There also seems to be more interesting control systems apps for Android at the moment.
A quick survey of Google’s Play store for terms such as ‘SCADA’’, ‘PLC’, and ‘OPC’ turns up a few applications worth checking out. Unfortunately there are no apps that I could find which do what Dale prescribes: obtain safe, accurate, remote, ‘read-only’ access to control system data. Doing so will require a lot of backend work on your part.
Let’s take a look at two interesting vulnerable applications.