Skip to Content
Computing

Hackers Could Blow Up Factories Using Smartphone Apps

Researchers have found worrying security holes in apps companies use to control industrial processes.
January 11, 2018
Eni | Flickr

Many companies let workers monitor and manage machines—and sometimes entire industrial processes—via mobile apps. The apps promise efficiency gains, but they also create targets for cyberattacks. At worst, hackers could exploit the flaws to destroy machines—and potentially entire factories.

Two security researchers, Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi, spent last year examining 34 apps from companies including Siemens and Schneider Electric. They found a total of 147 security holes in the apps, which were chosen at random from the Google Play Store. Bolshev declined to say which companies were the worst offenders or reveal the flaws in specific apps, but he said only two of the 34 had none at all.

Some of the vulnerabilities the researchers discovered would allow hackers to interfere with data flowing between an app and the machine or process it’s linked to. So an engineer could be tricked into thinking that, say, a machine is running at a safe temperature when in fact it’s overheating. Another flaw would let attackers insert malicious code on a mobile device so that it issues rogue commands to servers controlling many machines. It’s not hard to imagine this causing mayhem on an assembly line or explosions in an oil refinery. 

Bolshev says this combination of apps and industrial control systems is “a very dangerous and vulnerable cocktail,” though he stresses that the risk will vary widely. Some companies may have multiple fail-safe systems that limit potential damage. They may also insist that engineers rely on several data sources for a machine rather a single reading from an app.

That’s not totally reassuring, however, because there’s evidence hackers have already been able to evade broader defenses around manufacturing facilities (see “A New Industrial Hack Highlights the Cyber Holes in Our Infrastructure”). And the risks extend to other areas; power plants and transport systems are also being hooked up to the Internet. Mobile apps could prove weak points here too.

The researchers say they haven’t looked at whether any of the flaws has actually been exploited. Before publishing their findings, they contacted the companies whose apps had flaws in them. Some have already fixed the holes; many have yet to respond.

Beau Woods, cyber-safety innovation fellow at the Atlantic Council, says there’s a dilemma for businesses. “The last thing you want in an emergency,” he says, “is for operators to be locked out of a critical system, so they’re designed to be accessible in multiple ways,” such as via mobile apps. “But adding this connectivity also adds exposure to the bad guys.”

Deep Dive

Computing

child outside a destroyed residential building in Kiev
child outside a destroyed residential building in Kiev

Russia hacked an American satellite company one hour before the Ukraine invasion

The attack on Viasat showcases cyber’s emerging role in modern warfare.

hacked telecom concept
hacked telecom concept

Chinese hackers exploited years-old software flaws to break into telecom giants

A multi-year hacking campaign shows how dangerous old flaws can linger for years.

stock image of robots in a car plant
stock image of robots in a car plant

Transforming the automotive supply chain for the 21st century

Cloud-based tech solutions are helping manufacturers manage a new ecosystem of suppliers with greater agility and resilience.

The Western Union Building, 60 Hudson Street, c. 1931.
The Western Union Building, 60 Hudson Street, c. 1931.

Energy-hungry data centers are quietly moving into cities

Companies are pushing more server farms into the hearts of population centers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.