Nozomi Networks researchers have identified 23 vulnerabilities in the popular Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. These high-precision tools are used in factories and plants around the world to tighten fasteners in production and in the maintenance of various equipment.
According to experts, the vulnerabilities allow remote access to the devices and run arbitrary code on them. Researchers considered two possible variants of the attack.
In the first case, a ransomware programme is installed on all the wrenches in the workshop, blocking the tool control and displaying a demand to pay a ransom. Such an attack could stop the production cycle, leading to multi-million dollar losses in large companies.
In the second case, the tightening settings are changed while the device continues to display normal readings on the screen. Thus, the tightening torques will not meet the normative ones, which can lead to massive product failures and even accidents.
Many of the vulnerabilities discovered can be exploited for unauthenticated attacks directly from the enterprise network. Others allow attackers who already have limited access to tool management systems to escalate their privileges to launch full-fledged attacks from outside the network.
Bosch Rexroth has already issued advisories about the vulnerabilities. The company plans to release the necessary updates for affected keys by the end of the month.
Source: The Record
