An IoT flaw can be used to hijack connected construction cranes

Researchers have discovered that a connected construction crane, from Telecrane, has a vulnerability that can be used by hackers to intercept its communications and take the equipment over.
The internet of things (IoT) continues to grow up by reaching new sectors around worldwide industries. This case is about Telecrane F25 series that uses an unsecured internet connection to help the operator guide the crane’s movements.

This internet-connected feature is available because it’s not uncommon for the crane to not have a line-of-sight view to the landing spot and needs some sort of a remote controller to be there guiding the load down. Bluetooth won’t work and a wired control is not practical. A local network might but, given that there might be a big building in the way, that probably won’t work either. For now, the only option is to use a 3G or 4G phone connection to the web from the controller to the crane.

As in all the cases presented over the time this new IoT expansion is keeping the security community busy as the attack surface widens. This time Telecrane is affected by a flaw (CVE-2018-17935) – an “authentication bypass by capture-replay” in the transmission mechanism between the two pieces of hardware that allow the crane to talk to the controller in the operator’s cockpit.

Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;

Experts say that the crane use fixed unsecured codes that are reproducible by sniffing and re-transmission. A successful exploitation of this vulnerability could allow unauthorized users to view commands, replay commands, control the device or stop the device from running.
In other words, a hacker can use these hard-coded authentication messages to become a man-in-the-middle (MiTM) in the communications between the crane and the controller, from which he can spoof commands in order to hijack the crane.

The flaw has “serious” CVSS v3 score of 7.6, and a low skill level to exploit.
Good news is that Telecrane has fixed the problem in its latest firmware, version 00.0A, which construction companies can obtain via their product distributors.

Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.