Look to the sky: How hackers could control cranes by abusing radio frequencies
Vulnerabilities in radio frequency protocols used by remote controllers could allow hackers to move cranes and other big machinery at construction sites and factories, security researchers said Tuesday, raising awareness of potential safety issues in widely-used technology.
A research team at cybersecurity company Trend Micro examined remote controllers made by seven vendors and found that all of them were susceptible to “replay attacks,” in which an attacker transmits a recorded radio frequency (RF), tricking the machinery into responding to commands. In other words, the researchers said, the remote control you use to open your garage is probably more secure than many controllers used to move industrial equipment.
The main problem, Trend Micro said in a paper published Tuesday, is that instead of relying on standard wireless technologies, the industrial remote controllers depend on proprietary RF protocols that are decades old and “are primarily focused on safety at the expense of security.”
One of the more basic attack scenarios involved using a software-defined radio to record RF packets and then replaying them to manipulate the remote control, all from a few hundred yards of a target. The researchers performed some attacks with ease. In one case, they switched on a machine after an operator issued an emergency command to stop the machine.
“Human safety needs to go beyond an [emergency] stop button” on the controller, Jonathan Andersson, a Trend Micro researcher, told CyberScoop. “It’s not just the physical part of [these systems], there’s the digital part of it, which is becoming more and more relevant.”
The hack can be done relatively cheaply: a few hundred dollars for a device capable of a replay attack or emergency-stop abuse, and a few thousand for equipment to perform the more difficult task of maliciously reprogramming controllers.
The researchers got creative. One member of the team, Stephen Hilt, set up shop at a dog park across a freeway from a steel manufacturer in Tennessee. He pulled out an antenna and was able to pick up the RF of a crane used by the manufacturer. That was a proof-of-concept rather than an attack, but it showed how easy it was to access the RF data.
None of the attacks have been seen in the wild, but the researchers took the opportunity to educate vendors, some of which they described as obstinate.
“A lot of these vendors have never even thought about security,” Hilt told CyberScoop. “So we had to walk them through how a replay attack works, or a command injection works.”
After some cajoling, the vendors came around to understanding the risk and trying to mitigating it, Hilt and Andersson said. In one case, the researchers helped a vendor set up a process for patching vulnerabilities.
Hilt and Andersson used the S4 Conference, the annual gathering of industrial cybersecurity professionals in Miami, to bring their research to life.
At a presentation Tuesday, Hilt showed how he could use a watch created by researcher Travis Goodspeed – which had been stripped of its circuit board, replaced with a custom-built board, and then given additional firmware – to move a miniature crane on stage. The demo drew applause and some wonderment from the crowd.
“If you are a crane operator and have these devices, talk to your vendors and get them patched,” Hilt told the audience.