What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

Builders warned over Telecrane remote control radio vuln

People working with a crane

US-CERT is advising some customers of Telecrane construction cranes to patch their control systems – following the disclosure of a security bug that could allow a nearby attacker to wirelessly hijack the equipment.

The government security body this week issued an alert on CVE-2018-17935, a vulnerability in the Telecrane F25 series of controllers, which allows construction crews to remotely operate building cranes from the ground.

The F25 software was found to contain a capture replay vulnerability – basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.

A 3D Robotics (3DR) Solo drone with a gimbal-mounted Gopro camera. Crown copyright/AAIB

Drone crashes after operator failed to spot extra building site crane

READ MORE

"These devices use fixed codes that are reproducible by sniffing and re-transmission," US-CERT explained.

"This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state."

It's a bad enough flaw on its own, but what would be a moderate risk becomes a bit more scary when it involves massive construction equipment at a time when we know state-sponsored hacking groups are looking for ways to cause extensive real-world damage by manipulating industrial equipment.

Researchers Jonathan Andersson, Philippe Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler were credited with discovering and reporting the flaw via Trend Micro's Zero Day Initiative.

Telecrane did not respond to a request for comment on the matter. ®




Biting the hand that feeds IT © 1998–2018