Security Vulnerability in Internet-Connected Construction Cranes

This seems bad:

The F25 software was found to contain a capture replay vulnerability -- basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.

"These devices use fixed codes that are reproducible by sniffing and re-transmission," US-CERT explained.

"This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state."

Here's the CERT advisory.

Posted on October 29, 2018 at 6:18 AM • 23 Comments

Comments

kjerpfoekdOctober 29, 2018 6:31 AM

I don't know how doable this is, but maybe a wired connection should be mandated by law between a human operator and this find of machinery? Even commands sent over TLS or something of the sort seem too insecure for that kind of use.

DougOctober 29, 2018 6:54 AM

Why internet? It's not uncommon for the crane to not have line of sight view to the 'landing spot' and a remoter controller to be there guiding the load down. Bluetooth won't work. You might be able to set up a local network but, given that there might be a big building in the way, that probably won't work either. So the next option is to use a 3 or 4G phone connection to the web from the controller to the crane. A wired connection would be difficult as well.

Petre Peter October 29, 2018 7:18 AM

Computer security is turning into everything security. Hopefully, it won't take them months to patch.

JuhaniOctober 29, 2018 7:29 AM

Maybe we should emphasize more independent measurements and flexibility.
Perhaps we should engineer systems to be flexible and manageable instead of rigid and brittle; trust our systems, but verify using independent, out of band methods.
Stuxnet would have been inefficient if as a part of system design technicians could measure the centrifuge rotational speed, that method could be a drop of paint and a blinking light source. I know one case when a military officer on watch on modern warship used celestial navigation and it was more precise than ships navigation system, GPS etc.
I do not think that encryption/signing is sufficient, it is false security because stuxnet centrifuges were connected with physical cables.

In case of industrial cranes I would assume that modern image recognition can give sufficiently reliable coordinates to validate measurements and commands.

FrankOctober 29, 2018 7:36 AM

Is any of this secure? Internet-connected construction equipment, farm equipment, traffic lights, wastewater management, etc. Probably not. We are headed for a disaster. And it's probably not hackers who will be the cause. The next major war will have substantial cyber attacks against civilian targets. It's inevitable.


wiredogOctober 29, 2018 8:04 AM

There's nothing in the article indicating that the cranes are network connected, much less internet connected. It's a radio connection, like a quadcopter or rc car model. Presumably so that someone on the ground can guide a load to its landing spot when the operator of the crane can't see that spot. So you'd need a compatible radio with line of sight (probably) to the crane to send the commands. More likely you'd just jam the signals.

MeOctober 29, 2018 9:05 AM

Isn't this trivially prevented by attaching a timestamp to the signed data?

I made an (admittedly poor) system to ensure that the data coming to my program from a source was authentic by signing it, and including a timestamp in the signature. The program kept track of the last timestamp it used, and wouldn't trust anything older than that, thus preventing replay attacks on anything that had newer data.

Admittedly, it may have been better to not use a company wide wiki for storage of the data, but, overall, the data was pretty unimportant, and I did at least ensure that it was just data of the expected format (a specific JSON).

JonKnowsNothingOctober 29, 2018 9:23 AM

A long while back there was a documentary about the background workings of the palaces in the UK. One of the scenes was of a ginormous chandelier with thousands of crystal pieces. Very impressive to be sure.

In order to clean the thing it had to be lowered from the ceiling. In olden times this was done with a rope that attached to the top of the fixture and anchored on a wall. This allowed not only the cleaning but lighting of the candles. This same rope provided the much needed getaway path in Errol Flynn's swashbuckler films.

Well they don't have candles lighting the thing anymore and it's raised and lowered by an industrial robot with an industrial remote hand-held controller.

I can imagine what fun it will be when during some state dinner the huge ensemble begins to yo-yo up and down.

JeremyOctober 29, 2018 9:36 AM

@wiredog - According to the system's user manual, you're correct that it's a (UHF) radio link. So it's not correct for this item to refer to 'internet-connected' cranes, because they're not.

Interestingly, the security advisory contains two sets of mitigation information:

Telecrane recommends upgrading to the latest firmware. Firmware version 00.0A resolves this vulnerability and can be obtained through the product distributor.


NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

I imagine the NCCIC recommendations - which are irrelevant to this case - are boilerplate text.

Which doesn't really inspire a lot of confidence in the NCCIC advisory system.

TatütataOctober 29, 2018 9:39 AM

There is an URL to the user manual, and it is very clear that this device isn't connected to the Internet.

But it's probably worse: the thing works on the 433MHz ISM band, which is shared with garage door openers and walkie-talkies and baby monitors and home weather station stations. And also with radio-amateurs, who can legitimately transmit at a much higher power than the milliwatts conceded to unlicensed users.

One could therefore imagine a delicate manoeuvre being initiated, with the stop signal being obliterated by interference.

Railway shunting remote-controls apparently put up with that risk more than one might be comfortable with. Imagine a shunter pulling a few loaded tank cars. Or a helper engine pushing a heavy convoy up the grade. How long can you afford to wait before "big-holing", i.e., applying emergency brakes, after a signal dropout? Or avoid mutual garbling and message confusion in a busy rail yard? But the railways are probably further up the learning curve than these dilettantes, and have their own frequency allocations.

Why does a user manual provide a general skeleton of the control packet, and details on the error coding that will be lost on Joe-Six-Pack? That doesn't really belong there.

Vulture Central inserted some random picture of a large caliber lifting hook in its story, but I very much doubt that you would install this cr*p on your 500 ton Liebherr crane... My guess is that this thing is destined for construction cranes.

On the plus side: this device might permit crane mishaps to displace cats and Russian traffic accidents as top youtube categories.

Clive RobinsonOctober 29, 2018 10:55 AM

@ Frank, All,

The next major war will have substantial cyber attacks against civilian targets. It's inevitable.

Attacking civilian populations used to be considered a "high crime" around 150 years ago. However a little over a hundred years ago things changed with WWI seeing bombing from aerial vehicles and shelling from very long range guns supposadly at "military tarkets" like ports etc. However poor accuracy ment that there was a wide spread of fall thus not only were civilians hit, vastly increased levels of munitions were used that compounded the "collateral damage" or plain simple "murder" which it actualy is.

The Russian and Spanish Civil wars saw a significant amount of very deliberate tarketing of civilians and it was this "State against civilians" that was the original definition of "terrorism". This caused push back in various ways with what were regarded as "assasinations" by those elites who had thought themselves immune to being attacked.

As in WWI, WWII initially saw significant indiscriminate aerial bombardment of civilians for "terroristic purposes". Towns and cities became "legitimate targets" culminating in the two nuclear bombs dropped on japan as the ultimate terroristic activity.

From the 1950's onwards the doctrine of war practiced by the US military was to attack civilian populations on any pretext. Thid gave rise to the US Commanfer in the field demanding nukes in the Korean Penisular war. Politicians vetoed the idea for various reasons of self interest. Thus the US doctrine of war turned to attacking the food supplies of civilians with what can also be considered persistent effect chemical weapons, some of which were effectively early nerve agents.

Since then most wars have involved the use of civilians in one way or another as either targets or shields. It has got to the point that war is "total" with semantics trying to cover the real intent to basically blast another nation back to the stone ages, not just as punishing allegedly beligerant nations, but as "standard foreign policy" to keep other nations "toeing the line". The way to "Keep the US of your grass" as India, Pakistan and North Korea have demonstrated is to not just develope your own nuclear capability but the required delivery systems, all the more so if your nation has resources various US individuals covert...

China likewise invades countries with mineral resources, only they have realised long term using armed forces is counter productive, thus they tend to use "technology investment" that is fairly uniquely tied to China.

Russia currently uses a mixture of measures including "turning off the gas tap".

None of the three Super Powers care about differentiating civilians, as far as they are all concerned civilians are just a minor impediment to their aims and objectives, and whilst there is pretence for the TV cameras and journalists, "to appease the folks back home", make no mistake civilians are targets by all sides these days.

As for other smaller nations it's fairly obvious that they likewise regard civilians on all sides including their own as enemies and respond accordingly, regardless of if a state of war exists or not.

TatütataOctober 29, 2018 11:48 AM

Clive,

I agree.

However: What do you make of that great slaughterfest-for-everyone that were the Wars of Religion, among which was the English Civil war, with interminable sequels, prequels, and instalments? These were at least two centuries earlier.

The 30 year war in Germany is still particularity remembered for its barbarity against/between civilians, and so are the wars of religion in France. Let's not discount the Napoleonic wars either.

You could go back even earlier, with the European colonial subjugation of "inferior" peoples which began in earnest in the 16th Century. Shan't we call this "war"?

albertOctober 29, 2018 11:49 AM

This device is intended to be installed on existing cranes. Hopefully, the receiver will be installed by a qualified electrician.

Remote crane control is a big deal nowadays, not only on construction cranes, but on indoor cranes of all sizes. So it's not going away. Short of full message encryption, I can't see any simple fixes.

At least it's not Internet-connected..

. .. . .. --- ....

wiredogOctober 29, 2018 12:32 PM

@Tatütata
Joe six-pack probably isn't the intended reader of the user manual. Technical people are. A programmer rolling a custom solution for the controller, in an industrial automation context, would probably start at the user manual.

Clive RobinsonOctober 29, 2018 4:41 PM

@ Tatütata,

What do you make of that great slaughterfest-for-everyone that were the...

It was these preceding blood baths that convinced even the elite that attacking civilians was a "high crime" that effected them personally. Thus it was self interest that gave rise to the treaties.

As an example if it is known that your army never ever has a "Take no prisoners" stance, then on average their enemies are more likely to in effect commit a form of mutiny by surrendering. This means less blood shed and shorter wars. It also makes potential enemie attack a lot less likely as commanders will realise their troops will walk away or even kill them out of the troops own self interest. It's part of the Defence Doctrine that the UK once used to follow and it stood it in good stead. Likewise treating civilians fairly and switching rapidly from fighting to policing mode stands you in good stead, and helps you not be seen as an invading force. It's important to note that one of the major reasons the aftetmath of the Iraq invasion went horibly wrong was US troops had not been taught how to police a civilian population. If you treat people as your enemy then that is what they become, history has shown this so many times it should be the first and most formost rule taught to soldiers.

Why it took time for attacking civilians to become a high crime is due to the simple rule of thumb, laws are only passed when it is clear there is a need for a law, and existing law does not cover it. It's the same with treaties as I said the other day,they are as a general rule of thumb signed out of self interest. Thus breaking them or exiting from them can be viewed as a clear case of "self harm" by a nations leaders, usually against their own citizens.

That is not to say there are not rare times when it is in the interest of a nation to pull out of a treaty or more importantly for all the treaty signers to agree to disolve the treaty.

The US is withdrawing from the Intermediate range balistic missile treaty. The official reason is "Russia is not playing by the rules". That may or may not be true, however it is in both the US and Russia's interest to disolve the treaty even though it hurts their own respective self interest. It's because China is not a signitory, and has whilst both Russia and the US have been constrained by the treaty, been building it's own quite extensive IRBM arsenal.

Thus the MAD and similar calculus nolonger applies.

ThunnderbirdOctober 29, 2018 5:06 PM

Remote crane control is a big deal nowadays, not only on construction cranes, but on indoor cranes of all sizes. So it's not going away. Short of full message encryption, I can't see any simple fixes.

This is only sufficient if you can show that the elimination of any set of commands from the command stream cannot cause a problem. Because since the commands are over the air, you have to assume someone can jam selected ones.

My initial idea was that it could be safe if each command was something like "move up one foot" or "swivel right one degree" or something like that. I don't think that actually works if you have a volume you don't want the load to enter, because you could jam the "raise the load" commands and leave the "swing the load" commands. Then I thought maybe the commands could be "move the load from A to B" but that fails in a similar way.

I think you need to include a mechanism to be sure no commands are eliminated too. Perhaps that was what you meant and I just over-simplified, but at any rate, it is not a simple problem.

TheoOctober 30, 2018 1:07 PM

@Thunnderbird

[full message encryption] is only sufficient if you can show that the elimination of any set of commands from the command stream cannot cause a problem. Because since the commands are over the air, you have to assume someone can jam selected ones.

If the encryption and message protocol is done properly Eve can't selectively block commands because she can't identify the command in a packet.

Perhaps the best way is to send the entire [critical] command state in every message. On Loss of signal enter a fail safe state, which usually means stop everything, although that could be a problem if you're trying to move a ticking bomb to the bomb disposal unit.

Clive RobinsonNovember 1, 2018 4:16 AM

@ vas pup,

Russian aircraft carrier Admiral Kuznetsov damaged by crane

All caused by a convenient power cut as the ship was leaving the floating dry dock. Whilst the ship appears OKish apparantly the floating dry dock is probably beyond recovery or repair...

In economic terms the floating dry dock was probably worth many many times what the near end of life aircraft carrier is worth.

Which points out yet again that good defence is often worth more than offensive capability.

Hopefully it is just an unfortunate accident, but... Some will no doubt say it sounds to convenient and that it would be quite effective "economic espionage" against Russia, with minimal collateral damage.

No doubt such thoughts will increase as the investigation proceeds, especially if what caused the unfortunately timed power cut was due to software which it may probably be. Especially if the software is/was on or connected to unprotected networks or could be reached from the Internet...

People will note It would be a quite effective way to send Putin a message about keeping out of other peoples power networks...

So worth keeping an eye on the story and keeping a packet of pop-corn handy ;-)

vas pupNovember 2, 2018 9:44 AM

@Clive:
Yeah, message was sent already (I guess) when several years ago huge electric turbine in Siberia's Power Station went into uncontrolled overdrive mode and fly out of the station (several tons of metal) with big damage.
Regarding aircraft carrier - timing is interesting - close to big NATO naval combined training operation in Norway - just observation.

TatütataNovember 2, 2018 10:47 AM

Why attribute to malice what can be explained by decaying soviet-era infrastructure, deferred maintenance, negligence, and sloppy management?

The Bratsk catastrophe was home grown, there is no mention of foul play in an account made in a western trade magazine:

The industrial watchdog’s chief, Nikolai Kutin, described the service’s responsibility in the disaster probe: “For our part, we study the technical causes of the accident that were in the making for a long time, and that is why you will find a relatively large number of names, both from the plant management and RusHydro, as well as senior officials who made decisions affecting the stability and security of the plant’s operation.”

And to engineer sabotage on a floating dry dock through a conveniently timed power failure requires in my opinion an extraordinary insight in the yard's operation, which seems to me very difficult to achieve from a distance.

The Russians are somewhat wont to conspiracy theories, so if there had been hints third-party influence, I think one might have heard about them.

Nevertheless, I toured decades ago a large hydro plant, and noticed that the field generators and speed governors were essentially 1920's technology, and conjectured that the plant was vulnerable to an attack on them. When I returned there more recently, these elements had been replaced by large cabinets of power electronics, but as a member of the public, couldn't get anywhere close to them. Hopefully they aren't connected to the internet with the controller typically accessible with credentials similar to userid=admin, password=secret, as an acquaintance of mine was lamenting about the small (sub-100kW-range) hydro plants he was involved in upgrading.

vas pupNovember 2, 2018 12:45 PM

@Tatütata:
"Why attribute to malice what can be explained by decaying soviet-era infrastructure, deferred maintenance, negligence, and sloppy management?"
That is statement I agree upon, but malice (I did not have evidence) could utilize what is in your valid statement as well. Poor discipline of personal could override "these elements had been replaced by large cabinets of power electronics, but as a member of the public, couldn't get anywhere close to them. Hopefully they aren't connected to the internet with the controller typically accessible with credentials similar to userid=admin, password=secret, as an acquaintance of mine was lamenting about the small (sub-100kW-range) hydro plants he was involved in upgrading." in the similar way as Iranian centrifuges case.
I am talking from the point of all possibilities. Regarding Russian investigation, there is always possibility to so called 'close the case' and put blame on somebody mindset not to find the real cause or kind of double truth: one for public other for real security analysis and internal use/lessons - just my humble opinion. Security analysis required to consider all possible versions of event.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.