Early last week, cybersecurity firm Trend Micro released a report based on a two-year research project exploiting vulnerabilities they found in radio frequency (RF) remote controllers used to operate construction equipment like cranes and excavators.
So, how easy was it for Trend Micro’s research team to hijack the RF signals and take control of the cranes? According to the report, “Our findings show that current industrial remote controllers are less secure than garage door openers.”
The skill level needed to hack the cranes is minimal and the equipment required is inexpensive and easily attainable. The types of attacks they tested were done using laptops, a software-defined radio (SDR), and other RF equipment that can be purchased for less than $500 in some cases. The team was able to set up their equipment and carry out the attacks in a matter of minutes.
To carry out the attacks, the Trend Micro team had to reverse engineer the RF protocols, copy the control commands transmitted in data packets, and then replay them on their own transmitters to take control of the cranes.
The research team conducted tests on 14 devices manufactured by seven vendors. Some of the tests were performed in a lab and others were conducted, with permission, on active construction sites. The five tests conducted (and their level of difficulty) included:
- Replay attack – involves recording RF data packets and replaying them to obtain basic control of the machine. (Easy)
- Command injection – Once the RF protocol is known, the data packets are modified to take complete control of the machine. (Intermediate)
- Emergency stop abuse – Using a replay attack or command injection to can transmit the e-stop command packet and prevent the crane from operating. (Easy)
- Malicious re-pairing – The functionalities of a transmitter are cloned onto a new one controlled by the hacker to control the receiver or multiple receivers in some instances. (Intermediate)
- Malicious reprogramming – This involves installing malicious firmware on the remote controls in order to obtain full control of the devices. (Hard)
Based on their tests, Trend Micro highlighted three vulnerability patterns they discovered: no rolling code, weak or no data encryption, and a lack of software protection. They also looked at how difficult it would be to create and deploy patches to correct these vulnerabilities.
- Rolling codes are commonly used in keyless entry systems like garage door opener and car key remotes. They send a different code each time to prevent replay attacks as opposed to fixed codes that send the same code each time for a specific command. The patch for this is very easy to create but difficult to deploy based on the sheer number of units currently in use.
- On the remotes tested by Trend Micro there was weak or no encryption used to transmit the data packets containing the command codes. This made it extremely easy for the team to capture and copy the codes needed to control the cranes. The patch for this is also easy but difficult to deploy because firmware solutions might not work if the hardware doesn’t support encryption.
- The research team also discovered that the software used to upload firmware to the transmitters and receivers doesn’t prevent it from being reprogrammed by an unauthorized individual. This one was determined to be very easy to create the patch and easy to deploy since it only requires the vendor to implement proper access control to their software.
Trend Micro worked with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reach out to all of the vendors included in their testing to alert them of the vulnerabilities in their devices and get them patched.
Obviously, security hasn’t been a major area of concern up to this point. Now that it has been brought to light, we should start seeing more secure systems in the future. Part of the problem is that each manufacturer uses their own proprietary RF protocols instead of a standardized system as we see in wireless technologies.
If your company owns or operates any machinery using RF remote controls you should reach out the manufacturer to determine what fixes or workarounds are available and get them installed as soon as possible. While no reports of malicious hacking of construction cranes have been reported, the amount of damage to people and property that could be carried out is scary to think about.