How Hackers Could Manipulate The ‘Smart’ Wrenches Used To Build New Cars | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker
Modern auto factories rely on strict process controls to ensure that cars are built right. Any mistakes on the production line could require expensive rework to rectify, or lead to quality issues for customers which can lead to recalls and a damaged reputation. Smart tools are key to maintaining quality, allowing companies to ensure they’re not shipping cars with loose fasteners. However, these smart tools can be vulnerable to hackers, new research has revealed.
The news comes from Nozomi Networks, a cybersecurity company that investigates a wide variety of industrial equipment for vulnerabilities. As described in a report titled “Vulnerabilities on Bosch Rexroth Nutrunners May Be Abused to Stop Production Lines, Tamper with Safety-Critical Tightenings,” Nazomi Networks researchers were able to uncover a number of vulnerabilities in the Bosch Rexroth NXA015S-36V-B. If you’re not familiar with this tool, Nozomi Networks describes it as “a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines.” So, basically it’s a tool for tightening fasteners to specific torques to make sure parts are held together properly (it’s worth noting that the photos in the report show a battery-powered wrench, though the wrench in question is indeed a “pneumatic torque wrench,” per Bosch itself. More on Bosch’s response in a moment).
The “smart” aspect of the tool comes from the fact that it is network connected via WiFi, enabling it to log the torque and total tightening angle it applies to each fastener to a server for quality assurance purposes. It’s that network connectivity that poses a risk to the tool, and the factories that depend on it, according to Nozomi Networks.
The dangers of a hacked nutrunner could be numerous, with Nozomi Networks mentioning that a production line could theoretically be shut down and that fasteners could be over- or under-tightened while correct torques are reported quality logs. From Nozomi Networks:
We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.
In other words, a hacked tool could lead to products built with parts that fall off, or bolts that shear in service from being over-torqued, and that’s obviously not good.
The Bosch Rexroth NXA015S-36V-B. The cordless nutrunner communicates over WiFi to log fastener torque for quality purposes.
Such tools are used in all kinds of factories where fastener torques are critical. By measuring torque and the total angle the fastener is turned, the device can ensure the fastener is torqued to spec and that any necessary washers are present.
Nozomi Networks has already notified Bosch Rexroth of the issue, and Bosch Rexroth has “committed to releasing patches by the end of January 2024.” As the patch is not yet available, the company has not revealed specific technical details of how the nutrunners are vulnerable. However, its report includes a list of 25 vulnerabilities in the NEXO-OS operating system used on the tools, and even outlines “mitigations that asset owners can implement to safeguard against cyberattacks.”
The researchers were able to demonstrate the weakness of the tools by installing a proof-of-concept ransomware, which displays a notice on the screen of the tools. In theory, this could be used to hold a production-line to ransom until a sum was paid to hackers, with Nozomi Networks noting a rather grim potential scenario:
A group of malicious hackers might render an assembly line unusable if you don’t pay a fortune in crypto currency to the threat group. A resulting ransom demand may be millions of dollars, before considering the remediation and response costs.
Given that even a short shutdown to a production line can quickly run into the tens or hundreds of thousands of dollars, it’s easy to imagine a business contemplating paying such a sum—no matter how much conventional wisdom might recommend against it.
Nozomi Networks discusses what it found in testing, writing:
Within our lab environment, we successfully reconstructed the following two scenarios:
Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
Researchers ran a proof-of-concept ransomware attack on the tools. Credit: Nozomi Networks
Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
In what is termed a “manipulation of view” attack, the tool was commanded to tighten a fastener to 0.15 Nm, while displaying just 0.05 Nm. Credit: Nozomi Networks
Speaking to The Autopian, Bosch Rexroth confirmed that the company is aware of the matter and is developing a solution. The company has also posted a threat advisory to customers on its Product Security website. Per a Bosch spokesperson, who began by making it clear that “security is a top priority” at the company:
Nozomi Networks informed us some weeks ago that they have found that there is a vulnerability associated with the Bosch Rexroth NXA015S-36V-B, a smart nutrunner/pneumatic torque wrench. Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem. This patch will be released at the end of January 2024.
Since January 8, 2024, customers can find a “Security Advisory” on the Bosch Rexroth homepage in the area “Product Security” https://www.boschrexroth.com/en/dc/product-security/security-advisories/ or on https://psirt.bosch.com/security-advisories/bosch-sa-711465.html
The relevant Bosch Rexroth product Bosch Rexroth NXA015S-36V-B has been used by Bosch Rexroth customers for many years, so far there have been no cases of data loss. As our customers have the expertise to evaluate the very limited risk of this situation, we have have had only limited customer questions. It is strongly recommended to operate the Nexo cordless nutrunner in protected network segments.
Most of the vulnerabilities are a little arcane, but some are simple and seemingly embarrassing. One vulnerability (CVE-2023-48250) involves the use of hard-coded credentials baked into the tools. As I understand it, it’s kind of like if your Wi-Fi router at home had a secret account that you couldn’t change the password for, and so any attacker that knew about it could get into your network. Armed with this entry point, an attacker could combine that with another vulnerability, known as CVE-2023-48243. This allows the hacker to upload arbitrary files to different parts of the tool’s storage via a simple method. Using this, the hacker could run their own code on the device, such as to modify torque settings or lock out the tool and display a ransomware message.
Given the level of vulnerability, Nozomi Networks advises users to restrict any means by which a hacker might reach the network the tools are operating on in order to prevent attacks. According to Bosch’s rating on the Common Vulnerability Scoring System V3.1, the vulnerabilities were rated as Medium and High, the latter being one level below the highest rating of Critical.
At the time of writing, a Bosch spokesperson indicated they were unable to state the number of automakers that currently use the specific tool in question. The Autopian will update this article if such numbers become available.
It may be that no major automaker uses the specific Bosch Rexroth tool that was subject to this vulnerability. However, a vast number of automakers and other manufacturers use tools similar to these, both from Bosch and other tool companies. We often think of our desktop and laptop computers as the main devices at risk to hackers, and, I guess, increasingly our cars’ infotainment systems. In reality, anything on a network is a target. This incident highlights that even individual hand tools must be carefully designed from a cybersecurity perspective, especially when it comes to safety-critical applications. In the automotive world, much like aerospace and maritime applications, a loose fastener can put lives on the line.
Having a connected tool is great to ensure that vehicles are well built, but the industry must work to prevent that connection creating risk. Preventative measures do exist, as Bosch notes, such as only using such tools on protected and separated network segments. The tools can be secured further in future, to be sure, but they should also be protected from the outside world as much as possible. This research will remind many working in infrastructure cybersecurity — and also executives — just how much could be at risk.
