I really feel like we’re nudging towards the Cyberpunk: 2077-style future where netrunner hackers will basically become wizards, able to explode just about anything with a few lines of rogue code. Okay—the reality may be far more boring, but considering they put DRM in trains a while back I’m crossing my fingers for cyber sorcerers in the next few decades.
The latest in this list of surprisingly hackable tech? The Bosch Rexroth NXA015S-36V-B—also called a nutrunner, which is a type of torque wrench that came into use nearly 100 years ago and just so happens to share a lot of letters with ‘netrunner’. We live in a world of beautiful coincidences.
As detailed in a report by the security firm Nozomi. A squad of security experts found a whopping 25 different vulnerabilities in the wrench, which wirelessly connects to a manufacturer’s internal network. Also, it runs on Linux—or, well, the Linux-based NEXO-OS.
Unlike the superfluous anti-competitive nonsense applied to those Polish trains, the Nutrunner’s always-online wrench software is actually there for a good reason. Having access to an application allows engineers to adjust the final torque levels of fastenings to a granular degree, which is important for everyone’s safety.
“As an example,” the report reads, “bolts, nuts and fixtures used in electrical switchboards must be torqued appropriately to ensure that connections between current carrying components, such as high voltage busbars, maintain a low resistance. A loose connection would result in higher operating temperatures and could, over time, cause a fire.”
While the sentence ‘there’s a hackable wrench’ is very funny, the potential security risks here are serious to a harrowing degree. There’s the business side of things, of course—Nozomi thinks that these vulnerabilities could be used for ransomware attacks.
(Image credit: Nozomi Networks)
A more disturbing possibility is that these weak spots would “allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use.”
It’s a worst-case nightmare scenario and supervillain-tier levels of evil, but the concept of a rash of invisibly-caused industrial accidents happening months after the attack is genuinely a little scary. This isn’t just a theory they have, either—the security team fully pulled it off:
“We managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.”
In an email statement highlighted by Ars Technica, Bosch Rexroth “immediately took up this advice and is working on a patch to solve the problem”, which it says will be released at the end of January 2024. There’s patches for wrenches, now—what a time to be alive.