Hackers can infect network-connected wrenches to install ransomware


The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.
Enlarge / The Rexroth Nutrunner, a line of torque wrench sold by Bosch Rexroth.
Bosch Rexroth

reader comments
132

Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.

The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.

NEXO-OS's management web application.
Enlarge / NEXO-OS’s management web application.

Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place. B

A PoC ransomware running on the test nutrunner.

Enlarge / A PoC ransomware running on the test nutrunner.
  • Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.
A manipulation of view attack. The actual torque applied in this tightening was 0.15 Nm.
Article Tags:
Article Categories:
Technology