Security Vulnerability in Internet-Connected Construction Cranes
This seems bad:
The F25 software was found to contain a capture replay vulnerability—basically an attacker would be able to eavesdrop on radio transmissions between the crane and the controller, and then send their own spoofed commands over the air to seize control of the crane.
“These devices use fixed codes that are reproducible by sniffing and re-transmission,” US-CERT explained.
“This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent ‘stop’ state.”
Here’s the CERT advisory.
kjerpfoekd • October 29, 2018 6:31 AM
I don’t know how doable this is, but maybe a wired connection should be mandated by law between a human operator and this find of machinery? Even commands sent over TLS or something of the sort seem too insecure for that kind of use.