Digital disruption

9 November 2018

Security expert Bruce Schneier has, for decades, warned of the overlooked risks associated with the computer age. Sometimes, politicians, regulators, and industry leaders have paid heed.

His latest book, Click here to kill everybody, warns of the new dangers in a world of Internet- connected devices. Where once computing devices were made by computing experts, now internet-connected computers are added to even the most humdrum of goods. Manufacturers of 'smart' doorbells or baby monitors (or, even, as Schneier explains, pacemakers) will invest their R&D resources on features and price cutting, rather than how secure the device is. In this, they respond to customer demand: the early-adopting public generally just wants cool features as cheap as possible, and doesn't ask if their device is secure.

Many of these devices can't be easily upgraded in response to new threats. One example came this spring, when researchers F-Secure found a way to hack hotel door locks: the lock manufacturer couldn't push out updates centrally; instead, hotel maintenance staff would have to update every lock manually.

Another example of the risks came in 2016, when hackers used two networks of 'owned' security cameras, in a distributed denial of service botnet: the devices attacked a security site with 600Gbps of traffic, crippling it and much of the wider Internet.

This is, of course, all very scary and intriguing, but how does it relate to the world of cranes? Perhaps cranes, unlike every other connected device, are immune to hacking? Unfortunately not. In late October, US-CERT, the US government's Industrial Control Systems Cyber Emergency Response Team, reported a vulnerability in a crane remote control. The report says that, 'These devices use fixed codes that are reproducible by sniffing and re-transmission.

This can lead to unauthorized replay of a command, spoofing of an arbitrary message, or keeping the controlled load in a permanent “stop” state.' The manufacturer has offered an update to fix the issue.

It's clear why hackers might target cranes: for the stereotypical alienated hacker living in his mum's basement, it'd be an impressive feat to set a tower crane spinning; for an organised crime outfit, being able to lock down construction sites around the world could be a real earner.

The crane industry has become incredibly good at addressing the physical risks in construction through the standards system. Today, it needs to also create standards—in collaboration with suppliers— that cover network and device safety.

Will North, editor