Federico Maggi will never forget the first time he saw a crane being hacked.
Last March, he was on a strange kind of road trip. Traveling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools.
Surprise, surprise: They weren’t having much luck. But one such manager, who Maggi fondly remembers as Matteo, was game. Armed with laptops powered by the VW’s battery, scripts for running their hacks and some radio hardware to beam out the exploit code, Maggi and Balduzzi got to work.
Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.
“I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.
Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.” Able to detect potentially vulnerable machines on site, they embarked on an unprecedented hacking trip.
They cajoled their way into 14 locations where they were allowed to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery. In every case, their preprepared attack code worked.
It soon became obvious: Cranes were hopelessly vulnerable. And, unless the manufacturers behind the tools could be convinced to secure their kit, the potential for catastrophic damage was very real. The consequences ranged “from theft and extortion to sabotage and injury,” the researchers wrote in a paper handed to Forbes exclusively ahead of publication on Tuesday.
The attacks are simple, cheap and open to any person willing to risk launching them, warns Mark Nunnikhoven, VP for cloud security at Trend Micro. “Anyone in range can manipulate these devices.”
Attack of the cranes
In layman’s terms, Maggi and Balduzzi were doing something akin to cloning the transmitter typically used by site managers like Matteo.
But it’s a little more complex than that. The vulnerabilities uncovered by Trend Micro’s research team lay not in the vehicles themselves but in the communications between the controllers and the cranes. The benevolent hackers had to reverse engineer those communications coming from the radio frequency (RF) controller. They then had to find ways of copying commands, which came in their own supposedly unique formats, full of quirks the researchers had to figure out.
They discovered that the data packets containing commands were often transported over the airwaves with little to no security. Where there was basic encoding or encryption of commands, it still didn’t prevent the hackers from replicating commands using a software-defined radio (think of a computer program that acts like a radio running over whatever bandwidth the user sets). “In comparison, consumer-level remote controllers for car or door locks tend to be more secure,” the researchers wrote in their paper.
Initial testing was carried out on a toy crane in the office. In a lighthearted joke at the potential for damage in the real world, a lonesome-looking teddybear was swiped off of his stool by the miniature arm.
They then moved on to Matteo and real building sites. Maggi could either rely on his ability to spot a vulnerable crane controller and quickly launch attacks, or he could “sniff” the traffic passing over various radio frequencies. In a couple of hours, it was possible to determine what devices were in use and whether they could be manipulated or not.
Five different kinds of attack were tested. They included: a replay attack, command injection, e-stop abuse, malicious re-pairing and malicious reprogramming. The replay attack sees the attackers simply record commands and send them again when they want. Command injection sees the hacker intercept and modify a command. E-stop abuse brings about an emergency stop, while malicious re-pairing sees a cloned controller take over the functions of the legitimate one. And malicious reprogramming places a permanent vulnerability at the heart of the controller so it can always be manipulated.
So straighforward were the first four types of attack, they could be carried out within minutes on a construction site and with minimal cost. The hackers only required PCs, the (free) code and RF equipment costing anywhere between $100 and $500. To deal with some of the idiosyncracies of the building site tech, they developed their own bespoke hardware and software to streamline the attacks, called RFQuack.
It might seem like Maggi and Balduzzi had it too easy. But they did encounter one problem, that of energy. Such was the power drain on the little red Polo, with the radio hardware and laptops sucking up the battery, it had to be towed at the end of one day of testing. Maggi had to buy a new battery too.
Raise your crane game
On the one hand, attacks by hackers with real malicious motivations could lead to injury or worse. On the other, there’s the risk of theft of expensive vehicles or serious financial damage for construction companies. Imagine cybercriminals had commandeered a fleet of cranes and demanded a ransom to release them. Those lost days, not to mention the payment, could lead to major losses.
The industry is now being urged to build more robust systems. Amongst the seven vendors whose kit was exploited by Trend’s researchers were Saga, CircuitDesig, Juuko, Autec, Hetronic, Elca and Telecrane. Not one had responded to requests for comment at the time of publication.
But fixes have been rolling out over the last year. U.S.-government-funded Computer Emergency Response Teams worked with Trend to alert manufacturers and roll out either patches or workarounds.
For some of the vendors, the very idea of patching systems was new. “Some vendors have released firmware with version 0.00A, which means it’s the very first update they’ve released in their lives,” said Maggi.
There remain, however, some flaws left open. Two vulnerabilities affecting Juuko controllers, for instance, have not been addressed. They leave open the possibility of replay and command injection hacks. They’ve been left as so-called “zero-days”—previously unknown and unpatched weaknesses.
To truly fix the problem across the industry, it would be wise to move away from the esoteric custom protocols currently in use, says Nunnikhoven. Instead, modern, standardized tech would leave it more open to research and, therefore, fixes, Nunnikhoven added.
For now, the next time you see a crane swinging around your city or town, you’ll have to wonder: Who’s in control?
I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist …