On October 29, the discovery of a vulnerability in the F25 series, an intermodal crane controller widely employed at sea ports, produced by Telecrane demonstrated a widespread security threat that has the possibility to impact port operations. Telecrane is a Kaohsiung, Taiwan-based manufacturer of radio controls, specializing in crane controllers and selling over 60,000 units annually across 60 countries. Serving as an industrial remote control leader throughout Asia, 80% of its units are sold to overseas markets. Aside from the Taiwanese domestic market, of which Telecrane dominates at 95%, other locations where the crane controllers are in use include the US, Canada, Australia, Italy, and Lithuania.
Upon discovery by the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) of the United States Department of Homeland Security (DHS), the vulnerability, labeled as CVE-2018-17935 per industry standards, has been described as an authentication bypass by capture-replay. In industry parlance, this type of vulnerability allows for a type of hack called a Man-in-the-Middle. This hack allows for anyone, without any security in place, to eavesdrop on the signals being sent between the controller and the crane, meaning that a hacker could manipulate the controller for malicious ends.
Given the controller’s simplicity and lack of protection, there are a finite number of codes for a finite number of actions, all of which comprise the crane’s possible movements. Were a hacker to gain access to this device, the said hacker could send unintended and unauthorized codes against the controller’s user’s will, including, but not limited to, viewing buttons pushed (i.e. commands sent), unwanted repetition of button pushing, unplanned button pushing, or “bricking” (i.e. rendering unusable) the controller. As applicable for a crane controller, any intrusion by a hacker of a network of controllers could be devastating in its own right for a single port-side accident, but if left unchecked, could potentially disable an entire port. The threat posed by this vulnerability is such that ICS-CERT is treating it as “serious”, especially because the vulnerability is so blatant and simple that those with low hacking skill levels can hack the F25, according to experts.
As Telecrane crane controllers are in use across 60 countries, all potentially employing varying degrees of information security, the possibility of a hacker successfully hacking the F25, most likely at a major transshipment port first, cannot be ruled out.