Attackers could use vulnerabilities in Bosch Rexroth nutrunners to disrupt automotive production

Researchers have discovered over two dozen vulnerabilities in “smart” cordless nutrunners (i.e., pneumatic torque wrenches) manufactured by Bosch Rexroth that could be exploited to make the devices inoperable or their output unreliable.

“Depending on a manufacturer’s use and business configuration, devices such as the nutrunner may form a critical part of the quality management and assurance program in an enterprise, possibly even the last line of quality assurance. Compromise of the integrity in this final link in the quality chain may be difficult to detect, and have far reaching financial consequences,” Nozomi Networks researchers have noted.

The vulnerabilities in Bosch Rexroth devices (CVE-2023-48242 to CVE-2023-48266)

After probing the security posture of the Bosch Rexroth NXA015S-36V-B nutrunner and discovering 25 vulnerabilities affecting the device’s management web application and the services parsing communications protocols, the researchers successfully tested two attack scenarios in their lab:

• Deployment of custom ransomware (specifically designed for the devices’ OS), and
• Steathy alteration of tightening programs (while manipulating the onboard display)

“We were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom,” the researchers shared.

“Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.”

PoC ransomware running on test nutrunner. (Source: Nozomi Networks)

Covertly tampering with tightening programs also carries potential health and safety risks: As the recent in-flight emergency involving a Boeing 737 Max 9 plane operated by Alaska Airlines has shown, inadequately tightened bolts can lead to extremely dangerous situations.

The Bosch Rexroth NXA015S-36V-B nutrunner is powered by NEXO-OS, a Linux-based operating system that allows users to generate and configure tightening programs and analyse and diagnose tightening cases via the management web application. It has a built-in display and connects to wireless networks via an embedded Wi-Fi module.

The device supports a number of communication protocols that are used to integrate it with SCADA systems, PLCs, or other production devices.

“We expect [these devices] to be usually connected to the OT network, for the automatic collection of telemetry data and the integration with other OT systems (e.g., PLCs), but not exposed to the Internet (as it is common with other OT devices),” Nozomi researchers told Help Net Security. The management web app, though, is exposed on the internet by default, they say.

They also told us that most of the vulnerabilities are remotely exploitable – an attacker does not need to be on the same subnet to compromise vulnerable devices.

What to do?

Bosch Rexroth nutrunners are widely used in automotive production lines. Determined threat actors could leverage the vulnerabilities to stop the production or affect the quality of manufactured products, leading to delays, product recalls, reputational damage, accidents, etc.

There has been no mention of these vulnerabilities being exploited by threat actors, but once technical details and updated firmware are made available, there’s a chance some enterprising, skilled attackers might find it profitable to do the same research and use what they discovered.

As confirmed by Bosch Rexroth, the vulnerabilities affect Nexo cordless nutrunners from the NXA, NXP and NXV series, as well as a number of other similar devices.

For now, Nozomi refrained from publishing technical details about the vulnerabilities. Bosch Rexroth says that roughly half of the vulnerabilities will be fixed in the updated firmware version that will be released later this month, and has provided mitigation advice for CVE-2023-48257 (“Users shall ensure that the file storage is appropriately protected.”)

The researchers advise restricting the network reachability of the device as much as possible and reviewing all accounts that have login access to the devices and delete unnecessary ones.

“A few vulnerabilities require authenticated users to click on links or visit malicious webpages while logged in to the management web application. To counteract these, we advise being cautious when opening untrusted links or visiting external websites with a browsing session to the management web application in progress,” they added.