A critical flaw in construction equipment could allow hackers to conduct command injection attacks

• This bug could allow a nearby attacker to wirelessly connect to the controller device and hijack the equipment.
• An attacker exploiting the vulnerability could view commands, replay commands, replay commands and stop the device from working.

The F25 software used by Telecrane construction cranes’ remote devices are vulnerable to cyber attacks, security experts discovered. This bug could allow a nearby attacker to wirelessly connect to controller devices and hijack the equipment. The controllers allow operators the ability to control the crews and remotely operate remotely the equipment from the ground.

The vulnerability, assigned as CVE-2018-17935, existed in the Telecrane F25 series of controllers. The bug could allow attackers to obtain control over a crane’s operations by secretly listening to the radio transmissions between the crane and the controller and send their own spoofed commands over the air to seize control of the crane.

The US-CERT issued an advisory to some customers of Telecrane construction cranes to patch their control systems. Successful exploitation of the bug could allow an attacker to view commands, replay commands, control the device or stop the device from working.

Trend Micro’s Zero Day initiative

Researcher Jonathan Anderson, Philippe Lin, Akira Urano, Macro Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler discovered the vulnerability in the controller devices and reported them to Telecrane. The discovery was made as a part of Trend Micro’s Zero Day Initiative.

Moderate to great risk

According to the US-CERT, the vulnerable devices were found using fixed codes that can be easily reproduced by an attacker using code sniffing and re-transmission.

"This can lead to an unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent 'stop' state," explained US-CERT.

The flaw could be considered posing a moderate risk. However, since the bug affects massive construction equipment, it could pose a much greater risk. This is especially true in the event that the flaw is exploited by state-sponsored hackers looking for ways to cause extensive real-world damage by manipulating construction equipment.

“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents,” the US-CERT also said.