Recent news notes that the first iPhone worm is making the rounds. It takes advantage of default passwords in jailbroke iPhones. The hack was first demonstrated as a “Riuckroll” joke exploit and dubbed the ikee worm, but wily hackers have used the initial prank worm to engineer a worm that collects data and downloads user info. So from Rickroll to malicious exploit in a little over a week. The initial code (ikee worm) is available on the web, but I will refrain from linking it.

Now to apply this directly to control systems. A bit of perusing through the iPhone app store finds some SCADA apps for the iPhone. Not wanting to pick on any particular vendor but just looking at the results from some quick browsing, one that is principally for the management of PLCs and their associated tag data can be seen here. So for the sake of efficiency we have expanded the attack surface of our installations. It is not a stretch to consider the implications of a hacked phone running this type of application.

During some of the discussion (in the hallway) at ICSJWG this type of situation was addressed. As more products move to “smart phone” support the risk of a phone based incident increases. It could be non technical, such as what happens if some engineer/operator looses their control system enabled phone? To the exploit based scenario above. The wizbang coolness of implementing this kind of technology has got to be well tempered with a thorough understanding of the risk.