Last March, Federico Maggi was on a strange kind of road trip. Traveling the Lombardi region of Italy with his colleague Marco Balduzzi in a red Volkswagen Polo, the pair hoped to convince construction site managers, who they’d never met or spoken with before, to let them have a crack at taking control of cranes with their hacking tools. They weren’t having much luck, but one such manager, who Maggi fondly remembers as Matteo, was game. Armed with laptops powered by the VW’s battery, scripts for running their hacks and some radio hardware to beam out the exploit code, Maggi and Balduzzi got to work.
Matteo was asked to turn off his transmitter, the only one on-site capable of controlling the crane, and put the vehicle into a “stop” state. The hackers ran their script. Seconds later, a harsh beeping announced the crane was about to move. And then it did, shifting from side to side. Looking up at the mechanism below a wide blue sky, Matteo was at first confused.
“I remember him looking up and asking, ‘Who is doing that ?’ Then he realized the test was successful,” Maggi recalls.
Matteo’s crane was just the start. Over the coming days and weeks, the researchers, who ply their trade at Japanese cybersecurity giant Trend Micro, became professional “crane spotters.” Able to detect potentially vulnerable machines on site, they embarked on an unprecedented hacking trip.
They cajoled their way into 14 locations where they were allowed to hack into devices that not only controlled cranes but excavators, scrapers and other large machinery. In every case, their preprepared attack code worked!