Mobile devices and the Industrial Internet of Things (IIoT) 

By February 24, 2018Product News

In the movie Jurassic Park, Dr. Ian Malcolm (played by Jeff Goldblum) has a memorable quote:

“Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”

While Dr. Malcolm was talking about cloning dinosaurs for entertainment, not about connecting billions of frequently insecure and difficult to upgrade devices to the Internet and then bridging access to mobile devices, the quote seems relevant here as well.

Mobile apps are an overlooked access point for IIoT

Whenever people write code, they also create bugs. Combined with cheap embedded hardware like the ESP8266 that can network devices easily on existing public networks, we now have drones that spread worms across networks of lightbulbs, thermostats that can spy on you, refrigerators that send (email) spam, and who knows what will happen when more toilets are connected to the Internet. (Disclosure: I am ashamed to admit the toilet was my fault. Sorry.)

Mobile apps are an overlooked access point for IIoT
Whenever people write code, they also create bugs. Combined with cheap embedded hardware like the ESP8266 that can network devices easily on existing public networks, we now have drones that spread worms across networks of lightbulbs, thermostats that can spy on you, refrigerators that send (email) spam, and who knows what will happen when more toilets are connected to the Internet. (Disclosure: I am ashamed to admit the toilet was my fault. Sorry.)

These are all attacks on residential devices, however commercial and industrial devices have the same problems. Targeted attacks against hardware aren’t limited to nation-state level actors; worms that spread across networked power distribution devices have existed since at least 2009. Shodan scans targeting IoT devices regularly find SCADA systems.

Common recommendations for securing general purpose and industrial IoT (IIoT) devices include limiting access to networks, especially those that have devices that assume this and as a result don’t use encryption; ensuring devices have up-to-date firmware and strong passwords; and being careful using devices with cloud services. But what happens when those cloud services are inseparably integrated, with the endpoint of a mobile device - a general purpose computing device running its own code in an environment much easier for an attacker to manipulate?

Mobile app risks pose IIoT dangers as well
A recent report by researchers from Embedi and IOActive paints a bleak picture about security in industrial control systems (ICSes) connected to mobile devices. In an analysis of ICS applications two years earlier, researchers made the guess that “due to the rapidly developing nature of mobile software, all these problems will soon be gone.” Now with more than 20% of the almost 150 vulnerabilities they discovered from a random sampling of apps leading to attacks that could influence an industrial process or present operators with bad information, they’ve conceded that they were wrong, and their previous guess was too optimistic.

In the report, the authors connect the discovered vulnerabilities to the OWASP Top Ten mobile risks and include one additional category for backend software bugs. These aren’t new problems, and are documented well enough to have a large volume of detailed information, analysis, and recommendations publicly available to any developer interested in learning more.

Read more: Mobile devices and the Industrial Internet of Things (IIoT)