A low-skilled hacker could be just five easy steps away from remotely controlling heavy industry machines, putting workers at risk of injury or worse – that’s the verdict from one cybersecurity firm.
XM Cyber discovered the security flaw during an investigation of a client’s operations, in this case, a manufacturer with more than 7,000 employees and factories in Europe, the Middle East, and Africa.
“We engaged roughly two years ago with them and started with an early-stage deployment,” said Tobias Träbing, who led a penetration test to assess the client company’s cyber defenses. “We deployed our software within the customer premises, and during that, we were able to uncover a different attack path towards critical assets.”
This different attack path, it turns out, was a fairly straightforward route to remotely commandeering industry-grade machines ordinarily programmed to carry out routine functions on the factory floor.
Träbing said: “Here comes the catch – the deployment also included the server responsible for controlling uncrewed or unmanned vehicles in one of the factories. They have quite big robots driving around, and we created an attack scenario to say: can somebody from an unprivileged machine compromise the server that is controlling that uncrewed or unmanned vehicle?”
It turned out the answer to that question was “yes” – even when starting the penetration test from a company computer with no network access privileges.
“So those vehicles or robots were moving or transporting stuff from A to B in that factory, a big part of the manufacturing process,” said Träbing. “We were able to identify several attack paths involving software vulnerabilities, but also misconfiguration and credentials issues that would allow an attacker to compromise the controlling server of those vehicles.”
He added: “So if you translate that, when a real adversary would have access and exploit those issues, they would gain control of those vehicles [...] and then cause physical harm and damage. Rather than just go in a straight line, they could intercept and track the route and let it go somewhere else.
“The interesting part around this is IT security having an impact on the health and safety of the person working in the factory. They are people doing their 9-5 job, every day – but if all of a sudden this uncrewed vehicle would just run into somebody or drop the goods they are transporting, they [could] cause harm to the person.”
In this case, Träbing’s team intercepted the flaw before a threat actor could exploit it, alerting the machine-control app vendor and operator as well as the manufacturing client. This led to the vulnerability being patched – but Träbing believes this could be a wider issue for heavy industries that depend on remote-controlled robots.
Five easy steps
“It’s just a matter of time. If we talk about the real adversary getting access to the network and compromising the controlling server, that would be somewhat likely, because the attack path towards that machine wasn't the longest I've seen – it just included four or five hops, if I recall correctly.
“It’s not a super-complex attack, so an adversary that has some knowledge of IT security would have been able to find an attack path and potentially exploit it.”
Whether such a threat actor would be malevolent enough to deliberately harm industry workers is uncertain – but Träbing suggests such it might happen by accident. For instance, if a young hacker decides to exploit cybersecurity weaknesses just for fun or to test his or her skills, without thinking through what might happen as a result.
“If you read the news about recent hacks, Rockstar games, we are talking about teenagers – and I don't mean this disrespectfully,” said Träbing. “Of course, nation-states are an issue, a security threat in itself, but you see with the younger generation that they are growing up with IT and security. They are super-sophisticated and don't fear or understand the consequences.”
Träbing urges high-tech manufacturers to assess their cyber defenses and eliminate the chances of such a tragedy.
“IT security always focuses on computer-server security, but having an impact on the health and safety of personnel makes that attack path pretty unique,” he said.
More from Cybernews:
Subscribe to our newsletter