Radio-frequency (RF) remote controllers are widely used in the manufacturing, construction, transportation, and many other industrial applications. Cranes, drillers, and miners, among others, are commonly equipped with RF remotes, which have become the weakest link in these safety-critical applications, characterized by high replacement costs, long lifespans, and cumbersome patching processes.
Our research reveals that RF remote controllers are distributed globally, and millions of vulnerable units are installed on heavy industrial machinery and environments. Our extensive in-lab and on-site analysis of 7 popular vendors reveals a lack of security features at different levels, with obscure, proprietary protocols instead of standard ones. Therefore, they are vulnerable to command spoofing, so an attacker can selectively alter their behavior by crafting arbitrary commands—with consequences ranging from sabotage, injury, theft, or extortion.
This is not a replay attack. We will disclose the reverse engineering of the radio protocols and show how to forge valid commands for a target. To make the attack more elegant, we developed RFQuack, a pocket-sized research hardware tool, and show how to persistently and remotely take control or simulate the malfunction of the attached machinery, and provide concrete examples of attacks like command injection, emergency-stop abuse, and malicious re-pairing. We will also demonstrate how to attack controller programmers, which lack any security measures, opening the remote controllers to remote attack vectors. We will show how to extract, analyze, and alter their firmware to implement persistent and sophisticated attacks. Given the pervasive connectivity promoted by the Industry 4.0 trend, additional attack opportunities may arise.
We have reported our 0-day vulnerabilities to the vendors who acknowledged our findings and are working on suitable mitigations.