How Hackers Could Manipulate The ‘Smart’ Wrenches Used To Build New Cars

Rbschunner
ADVERTISEMENT

Modern auto factories rely on strict process controls to ensure that cars are built right. Any mistakes on the production line could require expensive rework to rectify, or lead to quality issues for customers which can lead to recalls and a damaged reputation. Smart tools are key to maintaining quality, allowing companies to ensure they’re not shipping cars with loose fasteners. However, these smart tools can be vulnerable to hackers, new research has revealed.

The news comes from Nozomi Networks, a cybersecurity company that investigates a wide variety of industrial equipment for vulnerabilities. As described in a report titled “Vulnerabilities on Bosch Rexroth Nutrunners May Be Abused to Stop Production Lines, Tamper with Safety-Critical Tightenings,” Nazomi Networks researchers were able to uncover a number of vulnerabilities in the Bosch Rexroth NXA015S-36V-B. If you’re not familiar with this tool, Nozomi Networks describes it as “a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines.” So, basically it’s a tool for tightening fasteners to specific torques to make sure parts are held together properly (it’s worth noting that the photos in the report show a battery-powered wrench, though the wrench in question is indeed a “pneumatic torque wrench,” per Bosch itself. More on Bosch’s response in a moment).

The “smart” aspect of the tool comes from the fact that it is network connected via WiFi, enabling it to log the torque and total tightening angle it applies to each fastener to a server for quality assurance purposes. It’s that network connectivity that poses a risk to the tool, and the factories that depend on it, according to Nozomi Networks.

The dangers of a hacked nutrunner could be numerous, with Nozomi Networks mentioning that a production line could theoretically be shut down and that fasteners could be over- or under-tightened while correct torques are reported quality logs. From Nozomi Networks:

We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.

In other words, a hacked tool could lead to products built with parts that fall off, or bolts that shear in service from being over-torqued, and that’s obviously not good.

Bosche Rexroth Nxa015s 36v B White Bg
The Bosch Rexroth NXA015S-36V-B. The cordless nutrunner communicates over WiFi to log fastener torque for quality purposes.

Bosche Rexroth Nxa015s 36v B Callouts

Using Nutrunner
Such tools are used in all kinds of factories where fastener torques are critical. By measuring torque and the total angle the fastener is turned, the device can ensure the fastener is torqued to spec and that any necessary washers are present.

Nozomi Networks has already notified Bosch Rexroth of the issue, and Bosch Rexroth has “committed to releasing patches by the end of January 2024.” As the patch is not yet available, the company has not revealed specific technical details of how the nutrunners are vulnerable. However, its report includes a list of 25 vulnerabilities in the NEXO-OS operating system used on the tools, and even outlines “mitigations that asset owners can implement to safeguard against cyberattacks.”

The researchers were able to demonstrate the weakness of the tools by installing a proof-of-concept ransomware, which displays a notice on the screen of the tools. In theory, this could be used to hold a production-line to ransom until a sum was paid to hackers, with Nozomi Networks noting a rather grim potential scenario:

A group of malicious hackers might render an assembly line unusable if you don’t pay a fortune in crypto currency to the threat group. A resulting ransom demand may be millions of dollars, before considering the remediation and response costs.

Given that even a short shutdown to a production line can quickly run into the tens or hundreds of thousands of dollars, it’s easy to imagine a business contemplating paying such a sum—no matter how much conventional wisdom might recommend against it.

Nozomi Networks discusses what it found in testing, writing:

Within our lab environment, we successfully reconstructed the following two scenarios:

  • Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
6597316c26e01cbbf185e0af Ransomware
Researchers ran a proof-of-concept ransomware attack on the tools. Credit: Nozomi Networks
  • Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
659731a30296c1a3a8c30c13 Hmi Gui Manipulation
In what is termed a “manipulation of view” attack, the tool was commanded to tighten a fastener to 0.15 Nm, while displaying just 0.05 Nm. Credit: Nozomi Networks

Speaking to The Autopian, Bosch Rexroth confirmed that the company is aware of the matter and is developing a solution. The company has also posted a threat advisory to customers on its Product Security website. Per a Bosch spokesperson, who began by making it clear that “security is a top priority” at the company:

Nozomi Networks informed us some weeks ago that they have found that there is a vulnerability associated with the Bosch Rexroth NXA015S-36V-B, a smart nutrunner/pneumatic torque wrench. Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem. This patch will be released at the end of January 2024.

Since January 8, 2024, customers can find a “Security Advisory” on the Bosch Rexroth homepage in the area “Product Security” https://www.boschrexroth.com/en/dc/product-security/security-advisories/ or on https://psirt.bosch.com/security-advisories/bosch-sa-711465.html

The relevant Bosch Rexroth product Bosch Rexroth NXA015S-36V-B has been used by Bosch Rexroth customers for many years, so far there have been no cases of data loss. As our customers have the expertise to evaluate the very limited risk of this situation, we have have had only limited customer questions. It is strongly recommended to operate the Nexo cordless nutrunner in protected network segments.

Most of the vulnerabilities are a little arcane, but some are simple and seemingly embarrassing. One vulnerability (CVE-2023-48250) involves the use of hard-coded credentials baked into the tools. As I understand it, it’s kind of like if your Wi-Fi router at home had a secret account that you couldn’t change the password for, and so any attacker that knew about it could get into your network. Armed with this entry point, an attacker could combine that with another vulnerability, known as CVE-2023-48243. This allows the hacker to upload arbitrary files to different parts of the tool’s storage via a simple method. Using this, the hacker could run their own code on the device, such as to modify torque settings or lock out the tool and display a ransomware message.

659efc8a945cf6d9c70674c4 Bosch Rexroth Nutrunner Vulns Diagram Ransomware (1) 659efc428fa504349cada03c Bosch Rexroth Nutrunner Vulns Diagram Manipulation (1)

Given the level of vulnerability, Nozomi Networks advises users to restrict any means by which a hacker might reach the network the tools are operating on in order to prevent attacks. According to Bosch’s rating on the Common Vulnerability Scoring System V3.1, the vulnerabilities were rated as Medium and High, the latter being one level below the highest rating of Critical.

At the time of writing, a Bosch spokesperson indicated they were unable to state the number of automakers that currently use the specific tool in question. The Autopian will update this article if such numbers become available.

It may be that no major automaker uses the specific Bosch Rexroth tool that was subject to this vulnerability. However, a vast number of automakers and other manufacturers use tools similar to these, both from Bosch and other tool companies. We often think of our desktop and laptop computers as the main devices at risk to hackers, and, I guess, increasingly our cars’ infotainment systems. In reality, anything on a network is a target. This incident highlights that even individual hand tools must be carefully designed from a cybersecurity perspective, especially when it comes to safety-critical applications. In the automotive world, much like aerospace and maritime applications, a loose fastener can put lives on the line.

Having a connected tool is great to ensure that vehicles are well built, but the industry must work to prevent that connection creating risk. Preventative measures do exist, as Bosch notes, such as only using such tools on protected and separated network segments. The tools can be secured further in future, to be sure, but they should also be protected from the outside world as much as possible. This research will remind many working in infrastructure cybersecurity — and also executives — just how much could be at risk.

Image credits: Nozomi Networks, Bosch

About the Author

View All My Posts

45 thoughts on “How Hackers Could Manipulate The ‘Smart’ Wrenches Used To Build New Cars

  1. Let me preempt whoever might come in to say “‘Rexroth Nutrunners’ would be a great name for a band.” Perhaps it would. But it would be a far better name for an itinerant band of male strippers performing at various gay male and/or hen party venues across the West Midlands.

  2. So why don’t these things simply have a hard reset button? I’d think it would take less time to simply wipe the contaminated program and reload it from firmware than to pay the ransom.

    1. Yeah, when they talked about “a fortune in Bitcoin” my first thought was “or just get new tools”. This isn’t like ransomware that encrypts irreplaceable data.

      1. I get that to replace the bricked tools would take time, time that the production schedule can’t afford. If that’s the case, yeah, have spare tools available and use those while the contaminated ones are being cleaned out by IT.

  3. Stuff like this is,why you keep your SCADA networks isolated and heavily firewalled if not air gapped. Because the internet of things and depressing amount of industrial controllers have piss poor security. Even then you have to guard against idiots wolith USB sticks (the Stuxnet vector) and idiots with home routers or cell phone hotspots bridging networks.
    I work in IT and some clients have SCADA systems and some clients need to be ITAR compliant so we have VLANs, firewalls and management buy in that people who violate IT security get fired.
    Back on topic, Tesla needs these to address their horrible record of suspension failures

  4. I can’t for the life of me find this article (it wasn’t in English and I forgot in what forgotten part of the web I read it eons ago), but one of the first industrial lvel “computer” hacks happened in the USSR, at the end of the 70’s, at the Moskvich factory.

    A young computer engineer (for whatever computers they had) kept being passed on for his vacation request (vacations in most of the Eastern block were heavily dependent on one’s employer not only timeframe wise, but also for most everything else – simple mortals could only get decent vacation time if they used the employer’s vacation villages at specific places, so if a company owned a vacation tent village close to the beach you’d be SOL if you got your vacation during the winter). So the guy became increasingly resentful.

    Eventually, he got his vacation time after everybody else. Before leaving, he changed some setting in in the main program and left.

    The change threw the conveyor belts out of whack, making the different elements arrive at specific stations ever so slightly out of sync – too early, or too late. This was not noticed at first, but eventually ballooned as the little differences amplified each other, to a complete lockup of the production line.

    Techs kept turning the belts off and on again, to no avail. They’s start (almost) fine then get out of whack again.

    To add to the joy, it turned out that the “I’m the only one knowing what they’re doing here” claims of said engineer turned out to be true, as no one was able to figure out the issue till the guy came back.

      1. The beauty of the story was that they never figured out what exactly had happened, till he spilled the beans decades later, after the regime change. Or so the story goes.

    1. That story doesn’t make sense. If stuff Joe owns breaks after Joe goes on vacation, you call him back and make him fix his stuff.

      1. It’s because of how I tell it, not because of how it was told to me 🙂

        I read it a long time ago, and as I mentioned – I can’t find it again. What is sure is that Joe had his behind covered one way or the other – not sure if anyone suspected it was a computer issue to begin with – and kept it covered for a long time.

        As for breaking and owning – there is no dedicated “Stories about Soviet build quality” thread here (yet), so I’ll keep my stories hush for the time being. Let’s say that ownership of issues in civilian production was not exactly a thing back there and then.

        I’m giving the benefit of the doubt to the military production, although I remember of at least one case where a million buck+ com station that came on a Kamaz chassis, was delivered brand new in my country with an engine seized in transit (with 20 miles on the odometer) because oil was low or not there at all straight out of the factory, in the very early 90’s.

  5. Connected tools and IoT things not being secure, topic is a decade old and companies are still churning out hot new products with security being their last concern. No one ever learns.

  6. I mentioned this on jalopnik, but my comment was on pending hell.

    but yes, consider this being used on actually missing critical assembly lines like for Boeing/Spirit (cough door plug bolts) or SpaceX.

    The implications are major.

      1. I only ever wanted to comment on Jalopnik when the article was wrong or belmingly stupid.

        I actually comment here because it’s so good I want to join in.

  7. It’s ridiculous how companies jump to put everything online, without considering security at all. I seem to remember a company being hacked through their fish tank thermometer, because it was on their wifi, but had no security of its own. I always think of that when something I’ve purchased wants to be on my network.

    1. I always think of that one too! It was some casino. A “smart” aquarium connected to their secure network. And you figure they have a lot of moolah at stake for any kind of networks there…

      I recently connected my printer to my network via an ethernet connection to the router. I figure phones and laptops are about the only things I can generally trust with wireless connections since they do get regular updates.

      Somehow I don’t trust smart bulbs and gadgets to get regular firmware/security updates.

  8. “In reality, anything on a network is a target.”
    Ah-Yep, but let’s race ahead and make everything in our lives connected.
    This is a job for Rtwyrm !
    Too tight=broke.

    1. I get the benefit to this in less reliance on human quality control inspectors, but I remain unconvinced that my washer, refrigerator, dishwasher, and juicer need to be connected the Internet or that doing so would benefit me in any meaningful way

      1. Seems they could have a hard wire secured port that downloads when the tool is in the cradle. As for your fridge,washer, and such, how are the manufacturers going to monetize your sweet data otherwise?

  9. As a correction: the units displayed are DC nutrunners (being battery powered), not a pneumatic nutrunner (operating based on air) as is noted in the article.

    Whilst wireless ones are fairly common in the industry, most units are of a corded-type and would not be reliant upon wireless signals (as they are lighter, cheaper, do not need to be charged, and are generally more robust than cordless variants).

    1. I think it’s just some confusion on the part of Nozomi Networks that was then repeated by the Bosch spokesperson. The datasheet for the particular model shows that it’s a battery-powered nutrunner.

      Either that, or there’s some internal pneumatic element, but I can’t imagine why that would be the case from an engineering standpoint.

  10. The manipulation attack is essentially what Stuxnet did to Iranian uranium enrichment ~2009 by stealthily manipulating PLC controllers of centrifuges. The targeted equipment indicated normal operation but would alter the speeds and gas pressures to slowly destroy the equipment and hinder the enrichment process.

  11. I wonder what would, ultimately, happen to the hackers that exploited this or something similar on one of the major manufacturers. Would they get their day in court? Would they quietly disappear?

    Corporations don’t play for some things.

    1. Off the top of my head, ransomware attacks on industry generally would see you arrested and put on trial if the authorities can achieve it.

      I don’t think corporations are hiring hit squads to take out hacker groups but I obviously don’t know everything

      1. I’ve been following some of the modern ransomware stuff going on, and who is doing it (there was a school in India that gained some prominence for a while before breaking up and splintering.) A lot of the times its places where the laws in the victim’s country can’t reach, or the hacker’s country is very reticent about prosecuting or even providing data on the attack. As a result there’s very little legal recourse

        Combined with the fact that I have very little trust in anything any corporation does these days…

    1. I got out of aerospace 6 years ago, but back then Boeing had a big push to eliminate their in house inspectors and have all suppliers do the inspections themselves and submit results via a web portal. Obviously it’s working out great.

Leave a Reply