On January 9, 2024, the Nozomi Networks industrial cybersecurity firm announced it had discovered vulnerabilities in Bosch’s Rexroth industrial impact wrenches. The automotive industry uses the machines to tighten bolts that are critical to security. The impact wrenches have a Wi-Fi mode that allows remote operation and operational data transfers.
Nozomi researchers identified 25 different flaws mainly affecting the proprietary NEXO-OS management software. Other vulnerabilities involve communication protocols for integration into SCADA, PLC and other systems. According to Nozomi, exploiting these vulnerabilities could allow an attacker to take full control of an impact wrench, which in turn could lead to two possible attack scenarios.
The first would involve jamming as many machines as possible in the same factory to interrupt assembly lines, and demanding a ransom. The second would involve changing tightening program settings, weakening critical bolts. This would make the vehicles defective, even dangerous, with serious consequences for the manufacturer’s bottom line and reputation.
Nozomi informed Bosch Rexroth of these flaws. A patch should be made available by the end of January 2024.