Yes, you can remotely hack factory, building site cranes. Wait, what?

Authentication is simply AWOL for remote RF control equipment, says Trend Micro

Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn't matter: they're alarmingly vulnerable to being hacked, according to Trend Micro.

Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one's own custom havoc-wreaking commands to remotely controlled equipment.

"Our findings show that current industrial remote controllers are less secure than garage door openers," said Trend Micro in its report – "A security analysis of radio remote controllers" – published today.

As a relatively obscure field, from the IT world's point of view at any rate, remotely controlled industrial equipment appears to be surprisingly insecure by design, according to Trend: "One of the vendors that we contacted specifically mentioned multiple inquiries from its clients, which wanted to remove the need for physically pressing the buttons on the hand-held remote, replacing this with a computer, connected to the very same remote that will issue commands as part of a more complex automation process, with no humans in the loop."

Even the pairing mechanisms between radio frequency (RF) controllers and their associated plant are only present "to prevent protocol-level interferences and allow multiple devices to operate simultaneously in a safe way," Trend said.

Yes, by design some of these pieces of industrial gear allow one operator to issue simultaneous commands to multiple pieces of equipment.

In addition to basic replay attacks, where commands broadcast by a legitimate operator are recorded by an attacker and rebroadcast in order to take over a targeted plant, attack vectors also included command injection, "e-stop abuse" (where miscreants can induce a denial-of-service condition by continually broadcasting emergency stop commands) and even malicious reprogramming. During detailed testing of one controller/receiver pair, Trend Micro researchers found that forged e-stop commands drowned out legitimate operator commands to the target device.

People working with a crane

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection


One vendor's equipment used identical checksum values in all of its RF packets, making it much easier for mischievous folk to sniff and successfully reverse-engineer those particular protocols. Another target device did not even implement a rolling code mechanism, meaning the receiving device did not authenticate received code in any way prior to executing it, like how a naughty child with an infrared signal recorder/transmitter could turn off the neighbour's telly through the living room window.

Trend Micro also found that of the user-reprogrammable devices it tested, "none of them had implemented any protection mechanism to prevent unattended reprogramming (e.g. operator authentication)".

While the latter may sound scary, factories and construction sites do enjoy a measure of physical security; while this is (notoriously) far from perfect, it does at least dissuade a casual hacker from climbing up a crane on a site to pair his laptop or home-made controller with it, or to try and reflash it with malicious firmware. Yet this is no substitute for proper device security.

Just to keep site managers' blood pressure high, Trend Micro highlighted that not only could script kiddies carry out some of these types of attack against industrial plants, a remote attacker could achieve persistent access by using a battery-powered cellular modem dropped off at a quiet part of a site with a drone.

Trend Micro pointed out: "Generally, there is a friction in patching because of the high downtime costs and business continuity constraints. Also, there's no such thing as 'forensics' in this field. Incidents are scrutinized in the 'physical world', and parts are just replaced to restore normal operations as quickly as possible. In other words, digital attacks are not considered a possibility in this field."

The infosec firm advised system integrators to be on high alert for potential vulns in customer-specified kit. In the long term, the infosec research firm said companies ought to abandon "proprietary RF protocols" in favour of open standards, highlighting Bluetooth Low Energy as having a tad more baked-in security than some of the standards they reverse-engineered, some of which they said had "none at all".

Just three months ago, US-CERT advised some customers of Telecrane gear to patch their control systems – after the disclosure of a security bug that could allow a nearby attacker to wirelessly hijack equipment. The vuln in the Telecrane F25 series of controllers, if left unpatched, would have allowed miscreants to remotely operate cranes via radio signals.

Ken Tindell, CTO of Canis Automotive Labs, mused to El Reg: "It's really a philosophical issue rather than a technical one. On one hand, you don't want to load something down with security implementations when it's a strictly private offline network. On the other, you don't want to put such a lethal thing into the hands of customers that don't appreciate the issues and will naturally do the equivalent of sticking a wet finger into a mains socket." ®

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022