Commentary & Insights

Let’s torque about smart tool cyber security

Vulnerabilities found with a smart tool highlight some of the risks of relying on technology for critical operations

OT & IoT security company, Nozomi Networks, recently revealed 25 vulnerabilities it found in the Bosch Rexroth NXA015S-36V-B wireless pneumatic torque wrench. 11 are considered high criticality.

The tool connects to WiFi, over which it can receive programming updates as well as send usage data. Serious vulnerabilities allow an unauthenticated attacker to fairly easily compromise the devices in such a way that:

  • Ransomware could be installed on each device, preventing the tools from working.
  • Devices could be reprogrammed to alter target torque values, whilst simultaneously manipulating the view the device operator sees to keep them unaware of changes.

Nozomi Networks reported their findings to Bosch Rexworth who in turn commenced working on a solution and released security advisory BOSCH-SA-711465 for customers.

At the time of publishing their security advisory, Bosch Rexworth didn’t have an immediate fix available for the device.

An update is expected to be developed, tested and released within a month. In these situations attackers have a window of opportunity to strike compromised organisations who use impacted devices.

Knowing what smart tools are in your toolbox and their update status is critical to being able to quickly respond to published security advisories.

In these situations, where no fixes are available, your organisation must make decisions on whether to continue to use devices. If so, undertake any recommended mitigations, intensify monitoring for suspicious activity, and implement enhanced quality assurance checks on work done.

Where fixes are available, knowing how many of something you have and where they are will ease and expedite remediation, and minimise the risk of missing vulnerable devices.

Monthly cyber security insights, news and tips direct to your inbox

More information here. You can unsubscribe at any time. See Privacy Policy for further details.