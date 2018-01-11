Hackers Could Blow Up Factories Using Smartphone Apps (technologyreview.com) 25
An anonymous reader quotes a report from MIT Technology Review: Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all. Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it's linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it's overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It's not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. The researchers say they haven't looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.
Re: (Score:2)
Well, factories are full of stuff that can kill people and controlling those things with something an operator might treat as a personal device certainly increases the attack surface.
So maybe we're not talking about new possibilities here, but we may be talking about a new set of probabilities.
Re: (Score:2)
Oh, come now. You can't figure out why a *remote attack* that can be executed against a virtually limitless number of targets using their own facilities and leaving no forensic trail back to you might not be just a teensy bit preferable to a truck bomb?
Blow up an oil refinery? (Score:1)
OK let's say you have enough knowledge to do this remotely. Even if you can manipulate process automation through a smartphone app, it's a sure bet you can't change most of the limits or permissives. There are specific reasons why process and power are designed to prevent this and covered by ASME or API codes. It's not random or arbitrary design. And while there are industrial accidents they are usually a chain of multiple failures or unforeseen problems in the design no one anticipated.
This article is
Re: (Score:2)
Organizations that blame their security issues on "morons" are unlikely to develop an effective security posture.
Re: (Score:2)
But that would need more workers on site. They will fully unionize over the long shifts and demand a "living wage".
The idea of hooking something to the net was so one trusted engineer could do the jobs of many on site workers.
Without the internet local workers would have to be hired on site again and they will unionize.
Re Do not hire morons who will plug a memory stick into a unit that's not on the net, after that stick h
Red Storm Rising (Score:2)
In the 1980's (Score:2)
Someone preppy who is photogenic has a modem and a new computer.
They had the phone number of their local power plant.
They created a script to dial every extension and only keep the number of any phone number extension that responded to a modem.
A day later they got a direct line to a modem in the power plant and could interact in computer ways with the local power company...
Black helicopters, federal law enforcement in suits swarm the local town looki
Here's something to worry about (Score:2)
Re: (Score:2)
no longer a threat (Score:2)
Phewww - that was close! But thanks to the diligent bi-partisan efforts of our legislators and the brilliant patriotic leadership of our businesspersons, the United States is safe from this threat. We have no factories left for anyone to blow up.
Internet and intranet access should not mix (Score:2)
If you allow remote access to factory systems with anything else but special purpose laptops with hardware VPN and zero Internet access, you're doing it wrong. Any data crossing between from internet to intranet should require red tape, any software mountains of red tape (all on physically archived paper). Any data from intranet to internet should be across busses verified to be strictly unidirectional (ie. not tcp/ip with some ungodly complex stack written in C).
Almost everyone is doing it wrong
... the on
Exploit them (Score:2)
The only way we are going to see any change in the industry is if it starts costing them money because simply continually cleaning up the messes of careless companies isn't going to change their attitude toward security. The reality is that you are actually enabling them to continue on with their poor security practices.