Vulnerabilities found in high-power Bosch wrenches popular with carmakers

Several vulnerabilities have been found in a popular line of pneumatic torque wrenches made by a subsidiary of Bosch, a German engineering and technology corporation.

The mechanical wrenches are typically found in manufacturing facilities that perform safety-critical tightening tasks, especially automotive production lines, according to researchers at industrial cybersecurity firm Nozomi Networks.

The vulnerabilities in the Bosch Rexroth NXA015S-36V-B nutrunner/pneumatic torque wrench have not been exploited yet, the researchers said. But the discovery underscores how the manufacturing process offers potential avenues for malicious hackers.

“Threat actors currently have the ability to implant ransomware on the device, which can lead to production line stoppages, thus guaranteeing large scale financial losses for the company,” the researchers said.

“Further, this exploitation also allows threat actors to undetectably hijack tightening programs for the nutrunners, making it possible to introduce sub-optimal tightening or cause damage due to excessive tightening.”

This means that the final torque levels applied to mechanical fastenings would now be compromised, so operational performance and safety measures are no longer met, the researchers explained.

Nozomi Networks officials told Recorded Future News that the devices natively support custom protocols from Volkswagen and BMW, and several other car companies likely use them.

A spokesperson for Bosch said in a statement that Nozomi Networks notified the corporation of the issues several weeks ago.

“Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem. This patch will be released at the end of January 2024,” the spokesperson said.

“Security is a top priority at Bosch Rexroth. Our experts continuously monitor any threats and take immediate countermeasures, if necessary, for example through updates offered by the manufacturers. With this approach, we can guarantee a high standard of security at Bosch Rexroth.”

The company published multiple advisories about the issues and informed customers through an RSS feed.

Nozomi Networks said it would not release the full details of the vulnerabilities in an effort to give Bosch customers time to install patches and mitigations.

Some of the vulnerabilities score as high as 8.8 on the CVE scale, according to the researchers.

All of the CVEs affect 14 versions of the Rexroth Nexo cordless nutrunner and five versions of the Rexroth Nexo special cordless nutrunner. Some of the vulnerabilities can be chained together in certain attacks, the researchers found.

Connected production processes

The researchers said production lines are increasingly becoming reliant on computer systems that are interconnected, making potential ransomware attacks and cyber incidents more damaging to companies.

Bosch’s NXA015S-36V-B is a cordless, handheld pneumatic torque wrench specifically engineered for specific safety-critical tightening operations. The tool comes with a visual display that provides users with real-time data and more. It can connect to the local WiFi network and reprogrammed remotely.

The vulnerabilities discovered by Nozomi Networks affect the management web application used to regulate the tool. The vulnerabilities found allow an unauthenticated attacker to send messages to the device and compromise it.

“Once this unauthorized access is gained, numerous attack scenarios become possible,” they said.

The researchers laid out two possible scenarios involving ransomware and device takeover. With ransomware, attackers could make the device completely inoperable by “preventing a local operator from controlling the drill through the onboard display and disabling the trigger button.”

They could display a ransom message on the screen and “swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.”

The other scenario would allow attackers to change the configuration of the tightening programs by increasing or decreasing the target torque value.

“Aside from the potential health and safety risks which may arise from improperly torqued fastenings in critical devices, the potential for business harm extends into other types of losses. An overtightened connection places excess stress on the bolt and nut which, again over time, will cause premature failure of the fixture possibly through failure of the threads themselves, or possibly exceeding the elastic limits of the material resulting in deformation,” they explained.

Depending on the company, devices like nutrunners may be critical parts of the quality management and assurance program — in some cases the last line of quality assurance.

“Long term, unmitigated alteration could affect the product quality, forcing you to recall thousands of products already in the market. A threat group or individual might reach out to you revealing a potential flaw in the manufacturing process, but not giving the entire details until you pay for it,” the researchers said.

“The implications are extensive, from potentially dangerous accidents to complex lawsuits derived from defective product operations, and the potential for ransomware – the sky is the limit when it comes to potential impacts.”