How to keep smart construction machines safe from hackers
By Lucy Barnard23 August 2022
Cyber security experts are warning that construction machines could be used by criminals to attack users or members of the public.
Tech researchers from Europe, the US and the UK are warning that machines such as cranes, excavators and bulldozers are vulnerable to attacks by cyber gangs, terrorists or even rogue governments.
They warn that hackers could take advantage of weak security to break into the controls of fleets of construction vehicles, either to stop them from working until a ransom is paid or to cause damage to people and property.
“I promise you that in the not-too-distant future, there will be a ransomware attack on cranes or some other smart construction machine,” Jan Wendenburg, chief executive of German IT security specialist OneKey.
“They will say ok, we have stopped all the machinery you have out there on your customers’ side and frozen it with ransomware. Pay us US$1bn otherwise you are out of business – or something like that. That will happen sooner than later.”
IoT-enabled construction machinery
Most of the latest models of the bulldozers, excavators and telehandlers coming off production lines are intelligent devices producing reams of data for users and connected to the internet through the Internet of Things (IoT).
These include sensors monitoring fuel consumption, carbon emissions or driver behaviour.
Wendenburg and his colleagues worry that hackers can use technology to scan hundreds of thousands of IoT-enabled machines for weak security.
“Construction equipment such as cranes have been used for decades. Now this product that you have been using for the past 30 years has been transformed into a computer,” Wendenburg says. “There are new attack vectors which you as a crane user have never thought of.”
“If you can overtake a machine, regardless of if it is a car, it is a crane or a robot on the shop floor, and if you are evil, you can hurt people,” Wendenburg adds. “Basically, I do expect that this will happen sooner rather than later. In my opinion, it is not a question of if but when. The only reason that there have been no serious hacks on cranes or other industrial equipment so far is not because it is difficult but because there are so many other computers out there that can be hacked more easily.”
James Griffiths, co-founder of UK-based Cyber Security Associates agrees. “There is a real possibility of IoT-enabled construction equipment being compromised by someone with malicious intent,” he says. “With more and more IoT-enabled devices being used on construction projects this threat is only going to grow.
The majority of IoT-enabled devices use standard IT communication methods and protocols which already offer a large attack surface for hackers. Mixed with very old proprietary protocols that are rarely updated this offers an easy route to compromise devices.”
Can IoT-enabled construction equipment can be hacked?
“Just like cyber criminals could use these attacks for monetary gain, so could terrorist organisations,” Griffiths says. “They could take over a high rise crane in a major city and crash it into a building with people in it causing a mass casualty situation. With critical national infrastructure there are specific safeguards in place to limit the risk of this happening but that does not mean that it would not be possible if someone had enough time and resources to plan the attack.”
For Peter Elkjær, VP of software at telematics specialist Trackunit which connects more than 1.2 million machines, the possibilities are worrying. “One of the reasons why we are still looking at ways to remotely control construction machinery is concern over how we ensure the safety of the personnel on that job site if there were to be a hack,” he says.
“We regularly conduct threat modelling where we try to play the scenarios of what a hacker will do. The fact is a thief or hacker probably wants to steal a unit either to sell it on or to drive around in it.”
Certainly manufacturers already have the ability to remotely disable machinery.
Used extensively in the auto industry, US-based Construction and farm machinery OEM John Deere has become one of the most high-profile manufacturers to incorporate a “kill switch” in its machines which means they can be shut down from many miles away.
In May, CNN reported that a John Deere dealership in Melitopol was able to track 27 pieces of farming machinery which had been stolen by Russian troops using GPS technology and remotely lock it after some of it was taken to Chechnya.
However, security experts point out that the technology could also be exploited in peacetime situations.
Over the past decade, John Deere has introduced a number of hi-tec locking systems designed to deter thieves and avoid botched repairs.
Wendenburg says that malicious actors could exploit the same technology that Deere and other manufacturers use to update and monitor construction and farm equipment by hacking into many machines at once and disabling them.
“Just imagine a crane operator locked out of all of his machines,” Wendenburg says. “He would lose his control of his whole crane portfolio. He has to pay all of the leases; he has no income and typically he would be bankrupt in a few weeks.”
Moreover, he warns that hostile foreign governments could also exploit the same technology for their own political ends, causing huge financial or physical damage and fighting a cyber war which takes out enemy infrastructure on multiple levels.
“Basically, I’m sad to say it, but there is nothing to stop someone else doing exactly the same thing,” he says. Just as John Deere did it to the Russians, [governments] could do it to the world. In theory a hostile government could turn off all the cranes.”
Elkjær agrees. “Hypothetically, in the future, if a telematics company was located in a country which became unfriendly, I could see a scenario where it could turn off deeply-integrated remote-controlled devices,” he says. “The geopolitical situation is definitely giving some new concerns around your vendor selection process.”
Hacking the location of a machine
And, it’s not just the ability to remotely disable IoT connected machines which is being weaponised in the war in Ukraine. Reports that Russian forces have been using hacked location data from Ukrainian soldiers’ mobile phones in order to pinpoint attacks have raised concerns that the telematics data from construction machinery could be used in a similar manner.
Privately some service providers say that they have disabled the location functions of construction equipment in the area to ensure that it is not used to tip off enemy forces as to where fortifications are being built.
Already, so-called “white hats,” hackers working for security firms to test the vulnerabilities of software currently in use, have discovered a number of flaws in the software used to run intelligent vehicles which leaves them open to attack.
Back in 2014, security duo Charlie Miller and Chris Valasek reported that they had hacked into the Wi-Fi system of a Jeep Cherokee first taking over control of the music player and the car’s GPS and then gaining control of the entire car.
The move prompted the manufacturer Fiat Chrysler to recall 1.4 million vehicles in the US and issue a security update to fix the flaw.
In January 2022, 19-year-old researcher David Colombo tweeted that he had been able to exploit security bugs in the TeslaMate logging tool to remotely hack into 25 Tesla cars in 13 different countries without the owners’ knowledge, unlocking their doors and windows and starting keyless driving.
“Tesla is a very good example because it has digitised a lot of things in its cars already. It is more or less the leader in that space, so this is enlarging the surface of attack in comparison to other cars where they have not so much software,” Wendenburg says.
Moreover, experts point out that even relatively low-tech devices which have been in operation for decades can be vulnerable to hacking.
In 2019 Japanese security firm Trend Micro published a research paper demonstrating how it had been able to move full-size construction cranes by remotely taking control of radio frequency (RF) remote controllers.
The researchers said that they were able to capture radio traffic and record RF packets which they could then replay to take control of the machine. This included replaying emergency stop commands indefinitely to produce a persistent denial of service conditions. Hackers were also able to selectively modify the packets and craft new commands to completely control a machine.
Full size construction cranes remote controls hacked
Trend Micro identified three basic failings in commonly used RF controllers – no rolling code, weak or no cryptography, and a lack of software protection.
“This research demonstrates a concerning reality for owners and operators of heavy industrial machinery where RF controllers are widely found,” said Bill Malik, VP of infrastructure strategies for Trend Micro. “By testing the vulnerabilities our researchers discovered, we confirmed the ability to move full-sized industrial equipment deployed at construction sites, factories, and transportation businesses.
“This is a classic example of both the new security risks that are emerging, as well as how old attacks are being revitalized, to attack the convergence of OT and IT.”
And as the number of cyber-attacks increases and more and more OEMs manufacture IoT-enabled smart machines, Wendenburg says the possibility of attacks is growing.
Certainly, governments around the world have reported a rise in cybercrime since the pandemic. Between 2016 and 2020, in the USA, the FBI received an average of around 480,000 cybercrime complaints reflecting losses of roughly US$2.95bn a year. Yet in 2021, the bureau reported nearly 850,000 cybercrime complaints and losses of more than US$6.9bn.
“If there is a computer built in then you can hack it. I cannot emphasise this enough,” Wendenburg says. “And the more connections you have, the higher the probability you will be attacked - it is just a mathematic play. The security industry talks about attack surfaces.
“This means the more computers you have, or the more variants of communication you have - cable, Wi-Fi, internet connections, Bluetooth - the more connections you have, the higher the probability of attack, regardless of whether the connection is secure or not.”
What can OEMs do to avoid being hacked?
Wendenburg says it is the responsibility of the OEMs to ensure that the software that they are including in their machines is secure.
This includes making sure that communications are encrypted, that it is authenticated so that they can be sure which machine they are communicating with and that new software versions are scanned for security before they are sent out.
These companies are the masters of the universe in terms of building construction vehicles, but they are typically not the masters of the universe in terms of digital security,” he says.
“Even the large car makers have serious difficulties in transforming their hardware-oriented design into software-oriented design. The focus is getting it done not getting it done securely.”
For owners and users, Wendenburg says, the most important thing is to be aware of the issue and to put in place a digital maintenance system to continuously screen for bugs.
“As a user you need to care not only that your tyres are in great shape but that you should also have the same level of digital maintenance you are applying to the mechanical side,” he says.
“You should install a 24-hour scanning system which can be compared with the anti-virus software you have on your computer. No-one would put a Windows computer into a corporate network without antivirus software. But this is what everyone is doing on the IoT space. They are just taking computers and putting them into networks.”
The need for digital maintenance
Wendenburg adds, “These days auditors are typically asking what security measures you are taking for your computer equipment in the office. And most firms say yes, we have a certified infrastructure, we have antivirus software, we have fire walls. But what if your computers are not only in the office any more?
If you have a computer infrastructure that includes all your machinery that is out there, then you have to tell the auditors that you have also security measures taken on your distributed external computer infrastructure which are the cranes and the bulldozers and so on.”
Trackunit’s Elkjær, says the most important thing is to ensure that systems are regularly updated. “In security, speed is of the most importance because there will be a vulnerability and whether or not it is exploited depends on your speed. If you are running on a platform that is constantly kept updated you are lowering the risk of being hacked.”
Elkjær says that Trackunit sends out updates to connected machines around ten times a day, scans all the servers operating its platform four times a day, releases major firmware updates four times a year and conducts penetration tests in collaboration with firms of white-hat hackers at least yearly.
“The only way you can reduce the risk of being hacked is by keeping up and being on the forefront of updating your platforms. We see security as a differentiator,” Elkjær says. “All of these systems are really expensive and it is hard for small players to keep up.”
Wendenburg adds that buyers must also take into consideration the long-term ability of a manufacturer to continue to provide software services to their machines before going ahead with a purchase.
“If you are buying something from a third party and this device only works if that party still exists and is willing to allow you to use the device then you have to trust them,” he says.
“You have to make your own decisions on your risk whether you can trust these guys for the next 20 years which is the foreseeable usage period of the machine. You have to ask the question, what is the fallback if you are not able to provide services anymore?
“If the manufacturer is going bankrupt, if the manufacturer is not reachable, if the manufacturer’s government is telling the manufacturer that they have to cut the cord, then you have to ask can I still use it in a disconnected state?”
If you are running a crane which was constructed in the 1960s you could still run it today. But if you are using a crane manufactured today and the company is going out of business, they will not provide you with any software updates to that crane and these software updates are often mandatory or essential to run a system in a connected environment.
Then you have to check, can you operate this machine in a disconnected state? If you disconnect everything then you have only one attack vector - that someone comes to your crane, puts a USB stick in there and puts some bad software on it which is not very likely.
At the end of the day, Wendenburg says, hackers will always be using increasingly sophisticated methods to attempt to break through defences.
“If you are installing fire walls and encryption and all of these things, you are just raising the bar for the hackers,” he says. “ Just imagine you are a company which owns a hundred cranes. And your competitors also have a hundred cranes.
“If you are taking care of security and you have raised the bar and the others have not, then who is likely to be hacked? You have to be just a little bit better than your competition. Then the hackers typically go to somewhere else. If the hackers say oh the cranes are too complicated to be hacked, then I’m going for some other machinery. At the end of the day, you are just reducing the risk of being hacked.”