IoT Flaw Allows Hijacking of Connected Construction Cranes

An attacker can send spoofed commands to the crane’s controller.

A connected construction crane, from Telecrane, has a vulnerability that would allow cyberattackers to intercept its communications and take the equipment over.

The internet of things (IoT) continues to add new types of objects to its footprint, as industries start leveraging connectivity to increase productivity, accuracy and operational optimization. In Telecrane’s the case, the F25 Series uses an internet connection to help the operator guide the crane’s movements. 

A poster of a comment at Bruce Schneier’s IoT security site explained the need for the connectivity: “It’s not uncommon for the crane to not have line-of-sight view to the ‘landing spot’ and a remote controller to be there guiding the load down,” he wrote. “Bluetooth won’t work. You might be able to set up a local network but, given that there might be a big building in the way, that probably won’t work either. So the next option is to use a 3G or 4G phone connection to the web from the controller to the crane. A wired connection would be difficult as well.”

The need for connectivity may be there, but IoT expansion is keeping the security community busy as the attack surface widens. In technical terms, Telecrane flaw (CVE-2018-17935) is an “authentication bypass by capture-replay” in the transmission mechanism between the two pieces of hardware that allow the crane to talk to the controller in the operator’s cockpit.

“These devices use fixed codes that are reproducible by sniffing and re-transmission,” US-CERT said in an advisory last week. “Successful exploitation of this vulnerability could allow unauthorized users to view commands, replay commands, control the device or stop the device from running.”

Essentially, an adversary can use these hard-coded authentication messages to become a man-in-the-middle (MiTM) in the communications between the crane and the controller. From there, he or she could spoof commands in order to hijack the crane.

The issue has been assigned a “serious” CVSS v3 score of 7.6, and US-CERT characterizes it as requiring a low skill level to exploit. Telecrane has fixed the problem in its latest firmware, version 00.0A, which construction companies can obtain via their product distributors.

In general, companies should minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet; use firewalls; and, if remote access is required, use VPNs to help protect the communications channel from prying eyes.

US-CERT said that no known public exploits specifically target the vulnerability.


Suggested articles