if I ever needed proof that human beings are totally evil, all I need is the horror of ransomware to speak for me. How worthless we are as a race when we infect computer networks and hold them for ransom. About the most foul and perverse thing any human could ever do to another.
I refuse to believe there’s much sensitive data on a wrench, but I am curious… Would it be faster to pay the ransom to get the wrench unlocked, or to reflash it?
The fact that they could manipulate the tightness and display output so that it could leave the bolts loose while saying that they aren’t, seems like a bigger problem.
Maybe the ransom was designed to be ongoing. I.e. as soon as you factory reset the wrench, it gets hit again with the same message, and you’d have to find some other part of the network that was messing them up.
Well, yes. There would be a root infection point outside of the wrenches themselves. The entire network would likely need to be inspected before you’d just reflash and move along like everything was better.
Right, if your factory is dependant on robotic wrenches for manufacturing, wouldn’t you have that backed up? You probably don’t only have one wrench with the code.
You’d be surprised how often critical tools don’t have backups.
More than once I’ve been to sites where the software needed to service a critical piece of equipment only existed on a single 15+ year old banged up laptop, or a 40+ year old PLC handling a critical part of a production line couldn’t be turned off because there was a risk that it wouldn’t be able to turn back on, and it was EOL’ed over a decade ago but they still hadn’t ported the program to a newer platform.
It has your location data for the Find My Device app and we both know your wife would love to see where you screwed during lunch break
Why the fuck does someone need a wrench connected to the internet in the first place?
I went appliance shopping recently and the salesman tried to get me on board with a WiFi connected fridge, his sales pitch was that I’ll get a push notification on my phone when the air or water filter need to be changed, and there’s a camera so if I’m at the store and I can’t remember if I need to buy milk, I can open the camera app and view the inside of my fridge and see my milk level. GTFO, not everything needs to have an app or internet service.
If you’re too lazy to read the article:
For normal consumers, it is absolutely a useless and stupid feature.
For safety-critical assembly line and maintenance applications, having the torque wrench networked enables a high degree of auditability. A highly pertinent current example would be the 737 MAX9 fuselage plug issues - if this device were incorporated into production and maintenance processes, it could enable manufacturing and maintenance audits down to the precise torque value used for each fastener, which likely could have prevented the issue entirely. Or… considering the timing, maybe they were being used, and the wrenches were compromised.
The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B. The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability. When fastenings are too loose, they risk causing the device to overheat and start fires. When too tight, threads can fail and result in torques that are too loose. The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999. The NEXO-OS, the firmware running on devices, can be controlled using a browser-based management interface.
Nozomi researchers said the device is riddled with 23 vulnerabilities that, in certain cases, can be exploited to install malware. The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.
9 of these are improper neutralization of inputs, of which 4 are SQL injections. The post says the vulnerabilities could be used to ransom-lock the devices or secretly adjust the torque levels the wrench applies while the display reports a false number.
So it connects to the network for firmware updates.
What the hell is there to update in the firmware? It either tightens to the indicated torque or it doesn’t.
Seems like using a cable for firmware updates which should be rare as hen’s teeth would be a smarter approach.
These tools need other maintenance/inspections anyway, you just do it then. Really, firmware shouldn’t have such a major flaw that an update is that crucial.
Indeed. When a tool has one job, if it needs a firmware update because it failed to do it’s one job, just give me my money back and I’ll buy a new one.
The tools are connected to a central database that logs all operations, it’s super useful. All the difference between Boeing that uses old style pneumatic guns and manual torque wrenches vs. Airbus using fully connected/automated wrenches that not only tighten bolts to the right torque every single time but also keeps track of how many bolts have been tightened. Such tools should be airgapped from the internet but obviously someone messed up on that part. Could be cost-cutting.
I was today years old when I learned that networked wrenches were a thing.
Call me Adama, my wrenches will remain un-networked.
Any 10mm can lose itself already- we don’t technology for that.
This is the best summary I could come up with:
Researchers have unearthed nearly two dozen vulnerabilities that could allow hackers to sabotage or disable a popular line of network-connected wrenches that factories around the world use to assemble sensitive instruments and devices.
The vulnerabilities, reported Tuesday by researchers from security firm Nozomi, reside in the Bosch Rexroth Handheld Nutrunner NXA015S-36V-B.
The cordless device, which wirelessly connects to the local network of organizations that use it, allows engineers to tighten bolts and other mechanical fastenings to precise torque levels that are critical for safety and reliability.
The Nutrunner provides a torque-level indicator display that’s backed by a certification from the Association of German Engineers and adopted by the automotive industry in 1999.
The malware could then be used to disable entire fleets of the devices or to cause them to tighten fastenings too loosely or tightly while the display continues to indicate the critical settings are still properly in place.
The vulnerabilities found on the Bosch Rexroth NXA015S-36V-B allow an unauthenticated attacker who is able to send network packets to the target device to obtain remote execution of arbitrary code (RCE) with root privileges, completely compromising it.
The original article contains 344 words, the summary contains 187 words. Saved 46%. I’m a bot and I’m open source!
With root privilleges? These things are running a full fat operating system? On a wrench too, what? Not even 3D printers run a full OS 🤦♂️
I hate to sound like a boomer, but maybe not everything needs to be network connected?
That’s nuts!
I’m just here because I can’t fucking believe it’s named “Nutrunner.”
Must be an oblique cyberpunk reference. Whatever it is, it’s fucking ridiculous.
When you have a long thread on a bolt, you run the nut down the thread to where it will be tightened up.
You can do it by spinning the nut with a flicking action with your finger, people do it with long lengths of rag that they then show on social media, or you can do it with a NutRunner™.
I will twist your nuts so fuckin hard
After a firmware update of course
And after paying the 0.1 BTC ransom
WHY IS THERE NETWORK CONNECTED WRENCHES?!
ITS A FUCKING WRENCH!
IT DOESNT NEED THE NETWORK!
WHY THE FUCK DO THEY PUT NETWORK CONNECTIVITY IN THIS SHIT THAT DOES NOT, IN ANY CONCEIVABLE FASHION, NEED IT!?!
I swear to god one of these days my head is literally going to explode in thermonuclear ball of rage over the absolute stupidity of this shit.
Auto torquing wrenches that connect to a network to know exactly how much torque to apply to a bolt or screw that can be updated on the fly to fix issues or change spec without much effort. They’re pretty common in manufacturing.
Heh… Kinda funny that by making them idiot proof, they’ve opened up vulnerability to someone who isn’t an idiot.
How do I train to be an IT wrench administrator?
Why would you want to? Are you some kind of masochist?
I’m sorry hold on a second did you just say “network-conneced wrenches?”
And expose this outside of a VLAN, you say?
At first, I thought this was some abstract or technical term that I didn’t know.
network-connected wrenches
Do wrenches really need to be networked? Honest question
Do wrenches really need to be networked? Honest question
A network-connected wrench can be a component of process improvement or quality improvement.
Imagine network wrench situation:
“Ed, Jim is on door install duty today right? I thought so. The system threw an alarm for his work. The last two doors he’s installed were under-torqued by 50 lbs on each bolt. Head down to production line four where he is, and get him sorted out.”
Imagine non-network wrench situation:
“The FAA has grounded all Boeing 737 Max 9 jets today after a massive decompression event occurred on Alaska Airlines at 16,000 ft. The door plug blew out of the jet at altitude. United Airlines has reported, after inspection, loose bolts the door plug of several of its Boeing 737 Max 9 jets as it continues to inspect every one if its 79 jets in its fleet.”
Do wrenches really need to be networked? Honest question
The moment my wrenches at work need to be connected to WiFi so some bean counting manager can come lecture me about every nut and bolt I work on, is the moment I wheel my tool cart into the woods and setup a shack.
Good thing they’re primarily talking about things such as aircraft, where this level of analness is sort of the bare minimum.
Imagine non-network wrench situation:
“The FAA has grounded all Boeing 737 Max 9 jets today after a massive decompression event occurred on Alaska Airlines at 16,000 ft. The door plug blew out of the jet at altitude. United Airlines has reported, after inspection, loose bolts the door plug of several of its Boeing 737 Max 9 jets as it continues to inspect every one if its 79 jets in its fleet.”
What’s the ratio of boeing door decompressions to IoT devices being hacked?
Boeing bout to have a scapegoat lol
