Cranes Behaving Badly: Hackers Can Easily Take Control of Construction Cranes
So, how easy was it for Trend Micro’s research team to hijack the RF signals and take control of the cranes? According to the report, “Our findings show that current industrial remote controllers are less secure than garage door openers.”
The skill level needed to hack the cranes is minimal and the equipment required is inexpensive and easily attainable. The types of attacks they tested were done using laptops, a software-defined radio (SDR), and other RF equipment that can be purchased for less than $500 in some cases. The team was able to set up their equipment and carry out the attacks in a matter of minutes.
To carry out the attacks, the Trend Micro team had to reverse engineer the RF protocols, copy the control commands transmitted in data packets, and then replay them on their own transmitters to take control of the cranes.
The research team conducted tests on 14 devices manufactured by seven vendors. Some of the tests were performed in a lab and others were conducted, with permission, on active construction sites. The five tests conducted (and their level of difficulty) included:
Based on their tests, Trend Micro highlighted three vulnerability patterns they discovered: no rolling code, weak or no data encryption, and a lack of software protection. They also looked at how difficult it would be to create and deploy patches to correct these vulnerabilities.
Trend Micro worked with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reach out to all of the vendors included in their testing to alert them of the vulnerabilities in their devices and get them patched.
Obviously, security hasn’t been a major area of concern up to this point. Now that it has been brought to light, we should start seeing more secure systems in the future. Part of the problem is that each manufacturer uses their own proprietary RF protocols instead of a standardized system as we see in wireless technologies.
If your company owns or operates any machinery using RF remote controls you should reach out the manufacturer to determine what fixes or workarounds are available and get them installed as soon as possible. While no reports of malicious hacking of construction cranes have been reported, the amount of damage to people and property that could be carried out is scary to think about.
Back To News