Cyber vulnerabilities found in Bosch production line tools

As production lines become increasingly reliant on interconnected computer systems, the risk of cybercriminal exploitation looms large.

Nozomi Networks has detailed new vulnerabilities discovered in the Bosch Rexroth NXA015S-36V-B, a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines.

The researchers found that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.

In critical applications, the final torque levels applied to mechanical fastenings are calculated and engineered to ensure that the overall design and operational performance of the device is met. As an example, bolts, nuts and fixtures used in electrical switchboards must be torqued appropriately to ensure that connections between current carrying components, such as high-voltage busbars, maintain a low resistance. A loose connection would result in higher operating temperatures and could, over time, cause a fire.

These vulnerabilities, primarily in the NEXO-OS operating system, have yet to be patched. Bosch Rexroth has committed to releasing patches by the end of January 2024.

In the interim, Nozomi Networks has recommended some mitigations that asset owners can implement to safeguard against cyber attacks.

The Bosch Rexroth NXA015S-36V-B and NEXO-OS

The NXA015S-36V-B is a cordless, handheld pneumatic torque wrench (nutrunner) in the Bosch Rexroth NXA Angle head family. It is specifically engineered for safety-critical tightening operations falling under category A of VDI 2862, a standard established by the Association of German Engineers (VDI) and adopted by the automotive industry in 1999.

The nutrunner is equipped with a visual display presenting real-time data and activity results to the operator. Additionally, it has the capability to connect to a wireless network through its embedded Wi-Fi module. In this configuration, data can be transmitted using various supported protocols to a designated historian server, and the device can be remotely reprogrammed using the management services provided by its NEXO-OS operating system.

NEXO-OS serves as the Linux-based operating system powering the nutrunner. It presents a range of application choices, encompassing tightening system configuration, the generation of tightening programs by specifying processes and the analysis and diagnosis of tightening cases, through the exposed management web application. It also supports a wide range of communication protocols such as Rexroth OpenProtocol, VW-XML and BMW-TPC, so that the nutrunner can be seamlessly integrated with SCADA systems, PLCs or other production devices.

The majority of the vulnerabilities identified by Nozomi Networks Labs affected the management web application, although a few were found in the services parsing the mentioned protocols.

Impacts of the vulnerabilities The vulnerabilities found on the Bosch Rexroth NXA015S-36V-B allow an unauthenticated attacker who is able to send network packets to the target device to obtain remote execution of arbitrary code (RCE) with root privileges, completely compromising it. Once this unauthorised access is gained, numerous attack scenarios become possible, including ransomware and control and manipulation of control and view. Aside from the potential health and safety risks which may arise from improperly torqued fastenings in critical devices, the potential for business harm extends into other types of losses.

Depending on a manufacturer’s use and business configuration, devices such as the nutrunner may form a critical part of the quality management and assurance program in an enterprise, possibly even the last line of quality assurance. Compromise of the integrity in this final link in the quality chain may be difficult to detect and have far-reaching financial consequences resulting from compromised production quality over time.

Remediations

Bosch Rexroth is set to deliver official patches by the end of January 2024. In the meantime, Nozomi Networks Labs advises adopting the following mitigations to protect against cyber attacks:

Given that some vulnerabilities are zero-click unauthenticated root RCE, it is recommend to restrict the network reachability of the device as much as possible, so that only authorised personnel and trusted computers/servers can communicate with it.

As some vulnerabilities can be exploited by authenticated users only, reviewing all accounts that have login access to the device and deleting unnecessary accounts is advised.

A few vulnerabilities require authenticated users to click on links or visit malicious webpages while logged in to the management web application. To counteract these, users should be cautious when opening untrusted links or visiting external websites with a browsing session to the management web application in progress.