Hackers Take over Giant Cranes at Construction Site
Next time you see a crane moving, you need to ask who is in control.
Two white hat hackers have demonstrated how vulnerable cranes and other-other large scale building equipment is by taking control of cranes on building sites from their car.
Federico Maggi and Marco Balduzzi working for Japanese cybersecurity giant Trend Micro, traveled down the Lombardy region of Italy agreed with laptops, scripts for running their hacks and some radio hardware to beam out the exploit code.
They asked building site managers if they could attempt to hack cranes and other equipment on site. They were scarily successful.
They found that cranes are enormously vulnerable. The problem lies in the communications between the controllers and the cranes. To get into the system the two hackers reverse engineer the communications coming from the radio frequency (RF) controller.
The relative simplicity of the hack highlights the how damaging the potential catastrophe could be if the cranes were hacked maliciously. The damage could range “from theft and extortion to sabotage and injury,” the researchers wrote in a paper.
The researchers tested their scripts and hacking skills at 14 different construction sites using five different types of attacks.
The attacks included: a replay attack, command injection, e-stop abuse, malicious re-pairing, and malicious reprogramming. The first four types of attacks are able to be carried out in just a few minutes and at a very low cost.
The researchers were armed simply with two laptops, some free code and basic RF equipment costing between $100 and $500. To deal with the inconsistencies of the building sites technology they also developed their own bespoke hardware and software to streamline the attacks, called RFQuack.
While the point of the exercise for these two benevolent hackers was to sell security software, it also creates a call to action for the manufacturer of this type of equipment to take security more seriously and fix the flaws exposed by Maggi and Balduzzi.