Thomas Brewster* says cybersecurity researchers have demonstrated how easy it is to hack into and take control of giant construction cranes.
Photo: Ilya Schulte
Federico Maggi will never forget the first time he saw a crane being hacked.
Last March, he was on a strange kind of road trip.
Travelling the Lombardi region of Italy with his colleague Marco Balduzzi, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.
Surprise, surprise: They weren’t having much luck.
But one such manager, Matteo, was game.
Armed with laptops, scripts for running their hacks and some radio hardware to beam out the exploit code, Maggi and Balduzzi got to work.
Matteo was asked to turn off his transmitter, the only one onsite capable of controlling the crane, and put the vehicle into a “stop” state.
The hackers ran their script.
Seconds later, a harsh beeping announced the crane was about to move.
And then it did, shifting from side to side.
Looking up at the mechanism below a wide blue sky, Matteo was at first confused.
“I remember him looking up and asking, ‘Who is doing that ?’ Then he realised the test was successful,” Maggi recalls.
Matteo’s crane was just the start.
Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.”
Able to detect potentially vulnerable machines on site, they embarked on an unprecedented hacking trip.
They cajoled their way into 14 locations where they were allowed to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery.
In every case, their pre-prepared attack code worked.
It soon became obvious: Cranes were hopelessly vulnerable.
And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real.
The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes.
The attacks are simple, cheap and open to any person willing to risk launching them, warns Mark Nunnikhoven, VP for cloud security at Trend Micro.
“Anyone in range can manipulate these devices,” he said.
Attack of the cranes
In layman’s terms, Maggi and Balduzzi were doing something akin to cloning the transmitter typically used by site managers like Matteo.
But it’s a little more complex than that.
The vulnerabilities uncovered by Trend Micro’s team lay not in the vehicles themselves but in the communications between the controllers and the cranes.
The benevolent hackers had to reverse engineer those communications coming from the radio frequency (RF) controller.
They then had to find ways of copying commands.
They discovered that the data packets containing commands were often transported over the airwaves with little to no security.
Where there was basic encoding or encryption of commands, it still didn’t prevent the hackers from replicating commands using a software-defined radio.
“In comparison, consumer-level remote controllers for car or door locks tend to be more secure,” the researchers wrote.
Initial testing was carried out on a toy crane in the office.
In a test of the potential for damage in the real world, a teddybear was swiped off of his stool by the miniature arm.
They then moved on to Matteo and real building sites.
Maggi could either rely on his ability to spot a vulnerable crane controller and quickly launch attacks or “sniff” the traffic passing over various radio frequencies.
In a couple of hours, it was possible to determine what devices were in use and whether they could be manipulated.
Five different kinds of attack were tested.
A replay attack sees the attackers simply record commands and send them again when they want.
Command injection sees the hacker intercept and modify a command.
E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one.
And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.
So straightforward were the first four types of attack, they could be carried out within minutes on a construction site.
The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500.
Raise your crane game
Attacks by hackers with real malicious motivations could lead to injury or worse.
There’s also the risk of theft of expensive vehicles or serious financial damage for construction companies.
Imagine cybercriminals had commandeered a fleet of cranes and demanded a ransom to release them.
Those lost days, not to mention the payment, could lead to major losses.
The industry is now being urged to build more robust systems.
Amongst the seven vendors whose kit was exploited by Trend’s researchers were Saga, CircuitDesig, Juuko, Autec, Hetronic, Elca and Telecrane.
Not one had responded to requests for comment at the time of publication.
But fixes have been rolling out over the last year.
US-government-funded Computer Emergency Response Teams worked with Trend to alert manufacturers and roll out either patches or workarounds.
For some of the vendors, the very idea of patching systems was new.
“Some vendors have released … the very first update they’ve released in their lives,” said Maggi.
There remain, however, some flaws left open.
To truly fix the problem across the industry, it would be wise to move away from the esoteric custom protocols currently in use, says Nunnikhoven.
Instead, modern, standardised tech would leave it more open to research and, therefore, fixes, Nunnikhoven added.
For now, the next time you see a crane swinging around your city or town, you’ll have to wonder: Who’s in control?
* Thomas Brewster covers security and privacy for Forbes.
This article first appeared at www.forbes.com/.
