Radio frequency (RF) tools in widespread use to control cranes and other industrial equipment are easier to hack than an average garage door  – putting industry at risk of production sabotage, system control, and unauthorised access

That’s according to new research by cybersecurity enterprise Trend Micro which shows that industrial heavy machinery can be disrupted and even taken over by manipulating the poor security features in RF transmitters and receivers.

RF Controllers: Command Spoofing is Easy

With typical industrial controllers that use RF highly susceptible to command spoofing, attackers can capture radio traffic, selectively modify the packets, and automatically craft arbitrary commands, the Japanese company’s researchers said.

“An attacker can just be within the range of a construction site, pretend to be a bystander, hide a battery-powered, coin-sized device (with an inexpensive radio transceiver at that), and use it remotely to craft arbitrary packets to control an industrial machine or persistently simulate a malfunction.”

All seven of the industrial radio remote controls that Trend Micro tested were vulnerable to reply attacks indicating that no rolling code mechanism was in place.

Hacking Industrial radio frequencies
RF Remotes
Image Source: Trend Micro

The company’s researchers were able to control tower cranes, industrial cranes, and mobile hoists in real production settings. Their researchers conducted attacks from the inside of a car parked 300 metres away from a site.

With industrial equipment like that exploited in the research often used for upwards of 15 years, patching is hardly something that is thought of on most sites. (Industrial security specialists may, arguably, think there are greater risks than a crane by hijacked to cause damage, when operational technology is already so vulnerable).

Hacking Industrial Radio Frequencies With RFQuack

Using a custom, not overly difficult to construct device called the RFQuack, the research team was able to deploy it onto a site, collect signal packages and reverse-engineer the protocol for the remotes in use. This action gave them full control over machinery on the site.

By recording the RF signal packages transmitted on site the research team was able to inject their own commands into the RF signal which the receiver then read as an authentic and enact them. This could even be done from a safer distance by drone, Trend Micro said.

See also: Bug Hunters Double SCADA Vulnerability Finds

Hacking Industrial radio frequencies
RF Quack Image Source: Trend Micro

Trend Micro said: “We Implemented our attack in a lightweight portable device (RFQuack) that can be dropped on the target site or mounted on a drone. The device is programmed to look for known packets and modify them into any arbitrary command (e.g., the operator wants to move the crane down, but the attack device will automatically make it move up instead).”

One attack method in which a threat actor could easily dispute construction sites and hold them to ransom is the repetition of the E-Stop function. Safety and legal regulations mean that nearly all remotes have an emergency stop function, which when activated cuts power and functionality in the target machine.

None of the vendors Trend Micro investigated used encoding or special transmission protocols to send E-Stop packets. So a threat actor simply has to capture that signal and replay it to shut down equipment. Working in an organised manner they could completely shutdown all equipment and hold the company to ransom.

Trend Micro’s investigation shows disparities between the industrial and commercial worlds when it comes to RF remotes. In commercial products it is common practice to use standard protocols and build encryption into the hardware. However this is not evident in the RF remotes used in conjunction with industrial heavy machinery.

The lack of rolling-code mechanism which are widely used in drones, cars and garage doors is the quickest step that companies can adopt to make it harder for threat actors to copy or manipulate RF signals.

See Also: Cybersecurity Conference DerbyCon Shuts Down, Citing Attendee Behaviour