Vulnerabilities found in Bosch Rexroth nutrunners used in the automotive industry could be exploited by hackers seeking direct financial gain or threat actors looking to cause disruption or reputational damage to the targeted organization, according to OT cybersecurity firm Nozomi Networks.
Nozomi researchers found security holes in Bosch Rexroth’s NXA015S-36V-B product, a cordless, handheld pneumatic torque wrench (also known as a nutrunner) designed for safety-critical tightening operations.
The machine has a built-in display providing real-time data to the operator and it can also connect to a wireless network through an embedded Wi-Fi module, enabling it to transmit data to a historian server and allowing users to remotely reprogram it.
Nozomi researchers discovered over two dozen vulnerabilities, a majority in the management application of the NEXO-OS operating system, and some related to the communication protocols designed for integration with SCADA, PLC and other systems.
Exploiting the vulnerabilities could allow unauthenticated attackers to take complete control of a nutrunner. Lab tests conducted by the cybersecurity firm demonstrated how an attacker could launch a ransomware attack that involves making the device inoperable and displaying a ransom message on its built-in screen. To make matters worse, such an attack can be automated to hack all of a company’s nutrunners, causing significant disruption in the production line.
In another attack scenario simulated by the company in its lab, the attacker changes tightening program configurations, specifically the torque value. This can cause the bolt to loosen, which can result in safety risks, or the manufacturing of a defective product, which can result in financial or reputational damage.
“In critical applications, the final torque levels applied to mechanical fastenings are calculated and engineered to ensure that the overall design and operational performance of the device is met,” Nozomi explained. “As an example, bolts, nuts and fixtures used in electrical switchboards must be torqued appropriately to ensure that connections between current carrying components, such as high voltage busbars, maintain a low resistance. A loose connection would result in higher operating temperatures and could, over time, cause a fire.”
On the other hand, an overtightened connection places excess stress on the bolt and nut, which can cause a mechanical failure,potentially resulting in excessive warranty claims and reputational damage to the business, Nozomi explained.
“Depending on a manufacturer’s use and business configuration, devices such as the nutrunner may form a critical part of the quality management and assurance program in an enterprise, possibly even the last line of quality assurance. Compromise of the integrity in this final link in the quality chain may be difficult to detect, and have far reaching financial consequences resulting from compromised production quality over time,” the company added.
A total of 25 CVE identifiers have been assigned to the flaws, including 11 that have a ‘high severity’ rating.
An unauthenticated attacker who is able to send network packets to the targeted device can achieve remote code execution with root privileges, completely compromising the system. While the exploitation of some flaws requires authentication, this requirement can be achieved by chaining them with other vulnerabilities, such as hardcoded credentials.
While the vulnerabilities were found in the NXA015S-36V-B product, other Rexroth Nexo nutrunners are impacted as well, including several NXA, NXP and NXV series devices.
Bosch Rexroth has been informed about the vulnerabilities and Nozomi said the company plans on patching the flaws by the end of January 2024. The vendor has released its own security advisory.
“Security is a top priority at Bosch Rexroth. Our experts continuously monitor any threats and take immediate countermeasures, if necessary, for example through updates offered by the manufacturers. With this approach, we can guarantee a high standard of security at Bosch Rexroth,” Bosch Rexroth told SecurityWeek in an emailed statement.
It added, “Nozomi Networks informed us some weeks ago that they have found that there is a vulnerability associated with the Bosch Rexroth NXA015S-36V-B, a smart nutrunner/pneumatic torque wrench. Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem. This patch will be released at the end of January 2024.”
The cybersecurity firm has not made public any technical information in an effort to prevent malicious exploitation.