Vulnerabilities discovered in high-power Bosch network connected torque wrenches
Take action: It's quite unclear why a torque wrench needs network connectivity, but if you are using Bosch Rexroth's NXA015S-36V-B Handheld Nutrunner, contact the vendor for a patch. Because torque wrenches need to work to a correct torque.
Learn More
Researchers at Nozomi Networks have identified multiple vulnerabilities in Bosch Rexroth's NXA015S-36V-B Handheld Nutrunner, a widely-used, network-connected pneumatic torque wrench.
These vulnerabilities, totaling 23, could potentially allow hackers to sabotage or disable these devices which are critical in assembling sensitive instruments and devices in various industries, especially automotive. The flaws could be exploited to install malware, leading to incorrect torque applications, either too loose or too tight, while the display falsely indicates correct settings. Such exploits are particularly concerning because of the wrench's extensive use in safety-critical tightening tasks in manufacturing facilities.
The vulnerabilities include an unauthenticated arbitrary file upload vulnerability, enabling unauthorized code execution with root privileges. Attackers could potentially install ransomware, making the device inoperable, or stealthily alter the torque settings while displaying false values to the operator, thus compromising the final product's safety and quality.
Nozomi has not disclosed full details of these vulnerabilities to allow Bosch customers time to install patches and mitigations. Bosch Rexroth has acknowledged the issues and is developing a patch, expected by the end of January 2024. This response is part of Bosch's ongoing security measures, which include continuous monitoring and updates to counteract threats.
