The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.
Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.
9 of these are improper neutralization of inputs, of which 4 are SQL injections. The post says the vulnerabilities could be used to ransom-lock the devices or secretly adjust the torque levels the wrench applies while the display reports a false number.
Seems like using a cable for firmware updates which should be rare as hen’s teeth would be a smarter approach.
These tools need other maintenance/inspections anyway, you just do it then. Really, firmware shouldn’t have such a major flaw that an update is that crucial.
Indeed. When a tool has one job, if it needs a firmware update because it failed to do it’s one job, just give me my money back and I’ll buy a new one.
The tools are connected to a central database that logs all operations, it’s super useful. All the difference between Boeing that uses old style pneumatic guns and manual torque wrenches vs. Airbus using fully connected/automated wrenches that not only tighten bolts to the right torque every single time but also keeps track of how many bolts have been tightened. Such tools should be airgapped from the internet but obviously someone messed up on that part. Could be cost-cutting.
9 of these are improper neutralization of inputs, of which 4 are SQL injections. The post says the vulnerabilities could be used to ransom-lock the devices or secretly adjust the torque levels the wrench applies while the display reports a false number.
Lol
It’s like a NetRunner. Butt for nuts.
“IN A WORLD…
WHERE SEMI-WOODEN ARBOREAL FRUITS HAVE FAST-ASS LEGS.
AND WRENCHES CAN GET HACKIFIED.
ONLY ONE MACHINE CAN SAVE US ALL.
BOSCH TICKLEFINGER IS:
THE NUTRUNNER.
APPEARING AT A CINEMA NEAR YOU.
PARENTAL ADVICE RECOMMENDED “
Lmao I’d watch that movie
So it connects to the network for firmware updates.
What the hell is there to update in the firmware? It either tightens to the indicated torque or it doesn’t.
Seems like using a cable for firmware updates which should be rare as hen’s teeth would be a smarter approach.
These tools need other maintenance/inspections anyway, you just do it then. Really, firmware shouldn’t have such a major flaw that an update is that crucial.
Indeed. When a tool has one job, if it needs a firmware update because it failed to do it’s one job, just give me my money back and I’ll buy a new one.
The tools are connected to a central database that logs all operations, it’s super useful. All the difference between Boeing that uses old style pneumatic guns and manual torque wrenches vs. Airbus using fully connected/automated wrenches that not only tighten bolts to the right torque every single time but also keeps track of how many bolts have been tightened. Such tools should be airgapped from the internet but obviously someone messed up on that part. Could be cost-cutting.
My impression was it connects to log torque levels and receive torque levels