Bosch Nutrunner Vulnerabilities Could Aid Hacker Attacks Against Automotive Production Lines

Vulnerabilities found in Bosch Rexroth nutrunners used in the automotive industry could be exploited by hackers seeking direct financial gain or threat actors looking to cause disruption or reputational damage to the targeted organization, according to OT cybersecurity firm Nozomi Networks.
Nozomi researchers found security holes in Bosch Rexroth's NXA015S-36V-B product, a cordless, handheld pneumatic torque wrench designed for safety-critical tightening operations.
The machine has a built-in display providing real-time data to the operator and it can also connect to a wireless network through an embedded Wi-Fi module, enabling it to transmit data to a historian server and allowing users to remotely reprogram it.
Nozomi researchers discovered over two dozen vulnerabilities, a majority in the management application of the NEXO-OS operating system, and some related to the communication protocols designed for integration with SCADA, PLC and other systems.
Exploiting the vulnerabilities could allow unauthenticated attackers to take complete control of a nutrunner.
Lab tests conducted by the cybersecurity firm demonstrated how an attacker could launch a ransomware attack that involves making the device inoperable and displaying a ransom message on its built-in screen.
To make matters worse, such an attack can be automated to hack all of a company's nutrunners, causing significant disruption in the production line.
In another attack scenario simulated by the company in its lab, the attacker changes tightening program configurations, specifically the torque value.
This can cause the bolt to loosen, which can result in safety risks, or the manufacturing of a defective product, which can result in financial or reputational damage.
On the other hand, an overtightened connection places excess stress on the bolt and nut, which can cause a mechanical failure,potentially resulting in excessive warranty claims and reputational damage to the business, Nozomi explained.
A total of 25 CVE identifiers have been assigned to the flaws, including 11 that have a 'high severity' rating.
An unauthenticated attacker who is able to send network packets to the targeted device can achieve remote code execution with root privileges, completely compromising the system.
While the exploitation of some flaws requires authentication, this requirement can be achieved by chaining them with other vulnerabilities, such as hardcoded credentials.
While the vulnerabilities were found in the NXA015S-36V-B product, other Rexroth Nexo nutrunners are impacted as well, including several NXA, NXP and NXV series devices.
Bosch Rexroth has been informed about the vulnerabilities and Nozomi said the company plans on patching the flaws by the end of January 2024.
The cybersecurity firm has not made public any technical information in an effort to prevent malicious exploitation.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 09 Jan 2024 14:13:31 +0000


Cyber News related to Bosch Nutrunner Vulnerabilities Could Aid Hacker Attacks Against Automotive Production Lines

Bosch Nutrunner Vulnerabilities Could Aid Hacker Attacks Against Automotive Production Lines - Vulnerabilities found in Bosch Rexroth nutrunners used in the automotive industry could be exploited by hackers seeking direct financial gain or threat actors looking to cause disruption or reputational damage to the targeted organization, according ...
10 months ago Securityweek.com
Attackers could use vulnerabilities in Bosch Rexroth nutrunners to disrupt automotive production - Covertly tampering with tightening programs also carries potential health and safety risks: As the recent in-flight emergency involving a Boeing 737 Max 9 plane operated by Alaska Airlines has shown, inadequately tightened bolts can lead to extremely ...
10 months ago Helpnetsecurity.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
FTC bans Rite Aid from using facial recognition surveillance for five years - Pharmacy chain Rite Aid is getting a timeout from AI facial recognition surveillance tech thanks to federal regulators. The U.S. Federal Trade Commission today announced a settlement with Rite Aid stating the chain recklessly deployed AI biometric ...
11 months ago Venturebeat.com
Hackers can infect network-connected wrenches to install ransomware - Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices. The ...
10 months ago Packetstormsecurity.com
FTC's Rite Aid Ruling Rightly Renews Scrutiny of Face Recognition - The Federal Trade Commission on Tuesday announced action against the pharmacy chain Rite Aid for its use of face recognition technology in hundreds of stores. The regulator found that Rite Aid deployed a massive, error-riddled surveillance program, ...
11 months ago Eff.org
Top Cyber Threats Automotive Dealerships Should Look Out For - Automotive dealerships are attractive targets for hackers. A combination of storing lots of sensitive customer data, handling large financial transactions, increased dependence on digital technologies and a perception of immature cybersecurity all ...
9 months ago Securityboulevard.com
VicOne Partners With 42Crunch to Deliver Comprehensive Security Across SDV and Connected-Vehicle Ecosystem - PRESS RELEASE. DALLAS and TOKYO, May 29, 2024- VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch to enhance the security of application programming interfaces for the software-defined vehicle and ...
6 months ago Darkreading.com
OT Cybersecurity for Automotive Industry - OT systems are ubiquitous across all critical infrastructure industries, such as Oil and Gas, Automotive, Energy, Water Utilities, and Transportation. OT infrastructure is very vital to any nation's security to ensure the delivery of essential ...
11 months ago Feeds.dzone.com
Network connected wrenches are now vulnerable to Ransomware attacks - Network-connected wrenches used globally are now at risk of exposure to ransomware hackers, who can manipulate their functionalities and gain unauthorized access to the connected networks, according to experts. Research conducted by Nozomi reveals ...
10 months ago Cybersecurity-insiders.com
Automotive Industry Under Ransomware Attacks: Proactive Measures - Ransomware has become a highly profitable industry, with major players like Conti Ransomware and Evil Corp leading the way. Although these entities are not publicly traded and do not report earnings to regulatory bodies like the SEC, it is estimated ...
10 months ago Cysecurity.news
Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice - The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26. Throughout the contest organized by Trend ...
10 months ago Bleepingcomputer.com
Hacker Conversations: Chris Evans, Hacker and CISO - Chris Evans is CISO and chief hacking officer at HackerOne. SecurityWeek's Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their ...
5 months ago Securityweek.com
Hacking Protected Java-Based Programs - This article provides examples of hacking techniques that can help Java developers avoid vulnerabilities in their programs. It is not intended to train hackers but rather for naive developers who think that standard obfuscators will save them from ...
11 months ago Feeds.dzone.com
Here's Why the World is Investing So Much in Semiconductors - Hannah Mullane, a BBC correspondent, recently visited Pragmatic Semiconductor, the UK's newest computer chip facility in Durham. The large site is being turned into a sophisticated computer chip production hub. Pragmatic Semiconductor has already ...
10 months ago Cysecurity.news
Vulnerability Puts Bosch Smart Thermostats at Risk of Compromise - A vulnerability has been discovered in a popular Bosch smart thermostat, allowing potential attackers to send commands to the device and replace its firmware, according to Bitdefender. The vulnerability impacts the Wi-Fi microcontroller that acts as ...
10 months ago Infosecurity-magazine.com
Achieving Automated TISAX Compliance - In its 2024 Automotive Cybersecurity Report, Upstream found that 50% of all automotive cyber incidents in 2023 had a high or massive impact. International institutions are taking steps to help automotive organizations defend themselves against black ...
6 months ago Tripwire.com
Hacker 'ShinyHunters' Pleads Not Guilty in Cybercrime Case - A hacker known as 'ShinyHunters' has pleaded not guilty in a case of cybercrime. The hacker is accused of taking part in illegal activities to steal data from victims, including passwords, credit card information, and other personal details. The ...
1 year ago Blog.cloudflare.com
Integrating cybersecurity into vehicle design and manufacturing - In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles. Edan highlights the challenges of technological ...
9 months ago Helpnetsecurity.com
Qilin ransomware claims attack on automotive giant Yanfeng - The Qilin ransomware group has claimed responsibility for a cyber attack on Yanfeng Automotive Interiors, one of the world's largest automotive parts suppliers. Yanfeng is a Chinese automotive parts developer and manufacturer focused on interior ...
1 year ago Bleepingcomputer.com
49 unique zero-days Uncovered in Pwn2Own Automotive - On the final day of Pwn2Own Automotive 2024 - Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each ...
10 months ago Cybersecuritynews.com
Tesla hackers win big at first Pwn2Own automotive hack fest The Register - Infosec in brief Trend Micro's Zero Day Initiative held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities. Researchers from French ...
10 months ago Go.theregister.com
Hacker Conversations: Stephanie 'Snow' Carruthers, Chief People Hacker at IBM X-Force Red - Social engineering is effectively hacking human thought processes. Social engineering is a major factor in the overall process but is not directly part of repurposing electronic systems. A social engineer is usually classified as a hacker, and is ...
8 months ago Securityweek.com
Cyberattack Disrupts Production at Varta Battery Factories - Germany-based battery manufacturer Varta revealed on February 13 that production at five of its plants had been disrupted as a result of a cyberattack. The attack was detected on February 12 and forced the company to shut down IT systems and ...
9 months ago Securityweek.com
"Do Not Push To Production" And Other Insecure Code, Demonstrated By An Ethical Hacker - Viewers got to see some interesting vulnerabilities and coding practices that made her demo app pretty open to exploits. A friend of mine published a book about it over 25 years ago, called The Happy Hacker. If you're hacking without permission, no ...
11 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)