Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn't matter: they're alarmingly vulnerable to being hacked, according to Trend Micro.
As a relatively obscure field, from the IT world's point of view at any rate, remotely controlled industrial equipment appears to be surprisingly insecure by design, according to Trend: "One of the vendors that we contacted specifically mentioned multiple inquiries from its clients, which wanted to remove the need for physically pressing the buttons on the hand-held remote, replacing this with a computer, connected to the very same remote that will issue commands as part of a more complex automation process, with no humans in the loop."
In addition to basic replay attacks, where commands broadcast by a legitimate operator are recorded by an attacker and rebroadcast in order to take over a targeted plant, attack vectors also included command injection, "e-stop abuse" (where miscreants can induce a denial-of-service condition by continually broadcasting emergency stop commands) and even malicious reprogramming. During detailed testing of one controller/receiver pair, Trend Micro researchers found that forged e-stop commands drowned out legitimate operator commands to the target device.
One vendor's equipment used identical checksum values in all of its RF packets, making it much easier for mischievous folk to sniff and successfully reverse-engineer those particular protocols. Another target device did not even implement a rolling code mechanism, meaning the receiving device did not authenticate received code in any way prior to executing it, like how a naughty child with an infrared signal recorder/transmitter could turn off the neighbour's telly through the living room window.
Trend Micro also found that of the user-reprogrammable devices it tested, "none of them had implemented any protection mechanism to prevent unattended reprogramming (e.g. operator authentication)".
Just three months ago, US-CERT advised some customers of Telecrane gear to patch their control systems – after the disclosure of a security bug that could allow a nearby attacker to wirelessly hijack equipment. The vuln in the Telecrane F25 series of controllers, if left unpatched, would have allowed miscreants to remotely operate cranes via radio signals.
Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one's own custom havoc-wreaking commands to remotely controlled equipment. If you think your company is vulnerable to such attacks or know of a company that is, have them reach out to Nero Consulting to conduct a penetration and audit test to check!
