IoT-Connected Construction Cranes Vulnerable to Hijacking

Threatpost has reported the discovery of yet another IoT device vulnerability. Telecrane’s F25 series connects to the internet to help operators control crane movements. A weakness in the security could allow hackers to intercept connected cranes’ communications and take control of the equipment.

“It’s not uncommon for the crane to not have line-of-sight view to the ‘landing spot’ and a remote controller to be there guiding the load down,” he wrote. “Bluetooth won’t work. You might be able to set up a local network but, given that there might be a big building in the way, that probably won’t work either. So the next option is to use a 3G or 4G phone connection to the web from the controller to the crane. A wired connection would be difficult as well,” says Bruce Schneier.

The Telecrane Flaw

Dubbed the Telecrane flaw, CVE-2018-17935 compromises the transmission mechanism connecting the two hardware pieces that allow the crane to “talk” to its controller in the operator cockpit. Considered an “authentication bypass by capture-relay,” it intercepts and edits transmissions and then uses them to assume control of the crane. It’s basically a man-in-the-middle style attack.

See also: Rethinking DDoS security in the era of 5G and cloud

The security flaw has been assigned a “serious” CVSS v3 score of 7.6, and US-CERT categorized it as a basic attack not requiring advanced skills. Telecrane addressed the problem in their latest firmware update, but it’s up to construction companies to obtain and install it.

While there have been no known actual attacks, security officials urge construction companies to keep their crane’s firmware up to date, use VPNs to protect their data, and minimize the network exposure of all control devices.