What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Builders warned over Telecrane remote control radio vuln

US-CERT is advising some customers of Telecrane construction cranes to patch their control systems – following the disclosure of a security bug that could allow a nearby attacker to wirelessly hijack the equipment.

The government security body this week issued an alert on CVE-2018-17935, a vulnerability in the Telecrane F25 series of controllers, which allows construction crews to remotely operate building cranes from the ground.

The F25 software was found to contain a capture replay vulnerability – basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.

A 3D Robotics (3DR) Solo drone with a gimbal-mounted Gopro camera. Crown copyright/AAIB

Drone crashes after operator failed to spot extra building site crane


"These devices use fixed codes that are reproducible by sniffing and re-transmission," US-CERT explained.

"This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state."

It's a bad enough flaw on its own, but what would be a moderate risk becomes a bit more scary when it involves massive construction equipment at a time when we know state-sponsored hacking groups are looking for ways to cause extensive real-world damage by manipulating industrial equipment.

Researchers Jonathan Andersson, Philippe Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler were credited with discovering and reporting the flaw via Trend Micro's Zero Day Initiative.

Telecrane did not respond to a request for comment on the matter. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Stolen-data market RaidForums taken down in domain seizure
    Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US

    After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

    Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

    The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

    Continue reading
  • Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time

    Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

    Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

    The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

    Continue reading
  • VMware patches critical guest-to-host vulnerabilities
    Time to fix code like it's 2020

    In an advisory this week, VMware alerted users to guest-to-host vulnerabilities in the XHCI and UHCI USB controllers in its ESXi hypervisor, plus an important flaw fixed in NSX Data Center for vSphere.

    In all, five vulnerabilities were discovered in VMware's ESXi, Workstation, Cloud Foundation (ESXi), and Fusion during the Tianfu Cup 2021, a Chinese vulnerability competition, by the country's Kunlun Lab. Bugs that Kunlun discovered were disclosed privately to VMware – though last year China passed a new law ordering security researchers to reveal findings to the country's Ministry of Public Security at least two days before anyone else.

    The vendor said it hadn't seen any evidence the competition's findings had been exploited in the wild. Patches have been issued, now it's up to admins to schedule them. The vulnerabilities range from use-after-free() and double-fetch flaws that can be exploited to execute code on the host, to an old-fashioned denial of service (DoS). The full list for ESXi, Workstation, Cloud Foundation, and Fusion is:

    Continue reading
  • Microsoft patches Y2K-like bug that borked on-prem Exchange Server
    Happy New Year. Welcome back! Now apply this patch – which Microsoft warns isn't easy – if you want email to work

    Microsoft has kicked off 2022 by issuing a patch for Exchange Server 2016 and 2019, which both possessed a “latent date issue” that saw emails queued up instead of being dispatched to inboxes.

    “The problem relates to a date check failure with the change of the new year,” states a January 1st post to the Exchange Blog.

    Exchange’s malware scanning engine is the source of the problem, as Exchange checks the version of that software and then tries to write the date into a variable. But that variable’s maximum value is 2,147,483,647 and the value Exchange tries to write - 2,201,010,001, to reflect the date of January 1st, 2022, at midnight – exceeds the variable’s maximum threshold.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software
    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Patch now? Why enterprise exploits are still partying like it's 1999
    Am I only dreaming, or is this burning an Eternal Blue?

    Feature Some vulnerabilities remain unreported for the longest time. The 12-year-old Dell SupportAssist remote code execution (RCE) flaw – which was finally unearthed earlier this year – would be one example.

    Others, however, have not only been long since reported and had patches released, but continue to pose a threat to enterprises. A joint advisory from the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), published in late July, listed the top 30 publicly known vulnerabilities that are routinely being exploited by threat actors. Many of these are a good few years old, including one Microsoft Office RCE that was patched in 2017 but had been around since the year 2000.

    Eoin Keary, CEO and founder of Edgescan, told The Register that the oldest common vulnerability discovered in its latest quarterly vulnerability scans report (CVE-1999-0517, impacting Simple Network Management Protocol) dated back to 1999. Which raises the question, why are threat actors being allowed to party like it's, um... 1999?

    Continue reading

Biting the hand that feeds IT © 1998–2022