More things can connect to the internet than ever. It seems like anything and everything that can fit a display and a Wi-Fi module is doing just that to offer enhanced features and continuous updates. Security vulnerabilities make these devices easily hackable, though. Rexroth, a Bosch subsidiary, is dealing with this problem right now with its torque wrenches, which it's priming to update with a software patch after researchers found that hackers could take control of the tools.
Nozomi Networks discovered numerous vulnerabilities with the Bosch Rexroth NXA015S-36V-B nutrunner, a tool popular with automaker assembly lines and certified to perform safety-critical tasks, and other Nexo torque wrenches. According to Nozomi’s research, malicious actors could perform a host of nefarious actions on the pneumatic torque wrenches that could disable the device, display incorrect torque information, install ransomware, and more.
In the lab, researchers could turn off the wrench’s trigger, lock the device, and display a unique message. Hackers could have used the exploits to hold the device at ransom until the victim pays. Bad actors have targeted hospitals, government agencies, and other businesses with ransomware attacks by shutting down critical systems and demanding money.
Nozomi was also able to manipulate the device to display incorrect torque figures. Researchers discovered they could decrease and increase the target torque value while displaying the correct number to the operator, who would have been unaware of the issue. You can imagine the chaos such a hack like this could cause with hundreds or thousands of vehicles made out of spec unbeknownst to the automaker.
Researchers found that some vulnerabilities required authorized access to perform, but others were zero-click attacks. Hackers could also upload, download, delete, and read files, inject arbitrary code, perform Denial-of-Service attacks, upload malicious code to the SD card and access sensitive data.
Bosch and Rexroth have already issued advisories about the exploits. The company plans to have the necessary updates for the affected wrenches by the end of the month.