The F25 software used by Telecrane construction cranes’ remote devices are vulnerable to cyber attacks, security experts discovered. This bug could allow a nearby attacker to wirelessly connect to controller devices and hijack the equipment. The controllers allow operators the ability to control the crews and remotely operate remotely the equipment from the ground.
The vulnerability, assigned as CVE-2018-17935, existed in the Telecrane F25 series of controllers. The bug could allow attackers to obtain control over a crane’s operations by secretly listening to the radio transmissions between the crane and the controller and send their own spoofed commands over the air to seize control of the crane.
The US-CERT issued an advisory to some customers of Telecrane construction cranes to patch their control systems. Successful exploitation of the bug could allow an attacker to view commands, replay commands, control the device or stop the device from working.
Researcher Jonathan Anderson, Philippe Lin, Akira Urano, Macro Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler discovered the vulnerability in the controller devices and reported them to Telecrane. The discovery was made as a part of Trend Micro’s Zero Day Initiative.
According to the US-CERT, the vulnerable devices were found using fixed codes that can be easily reproduced by an attacker using code sniffing and re-transmission.
"This can lead to an unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state," explained US-CERT.
The flaw could be considered posing a moderate risk. However, since the bug affects massive construction equipment, it could pose a much greater risk. This is especially true in the event that the flaw is exploited by state-sponsored hackers looking for ways to cause extensive real-world damage by manipulating construction equipment.
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents,” the US-CERT also said.