Are the human gods creating our future robot overlords bestowing their creations with solid cybersecurity? A pair of hackers think not.
The researchers, from security consultancy IOActive, claimed Wednesday to have found a whopping 50 vulnerabilities across components of major home and industrial robots. If exploited, those weaknesses could allow remote control of the machines or reprogramming of their functions, whilst possibly leaking their data, the researchers said. And they believe there’s worse to come, as their hacks have only gone skin deep thus far.
The affected manufacturers include the maker of the famous Baxter and Sawyer models, Rethink Robotics, as well as SoftBank Robotics, UBTECH, Robotis and Universal Robots. Though the researchers didn’t have access to the actual robots, they were able to poke at various components and hunt for weaknesses.
While the hackers declined to provide detail on the specific vulnerabilities, they did provide high-level descriptions of the vulnerabilities. And they were depressingly familiar, ranging from weak-to-zero encryption for communications between the robots and their human masters, to completely open access to the machines.
The latter, said researchers Cesar Cerrudo and Lucas Apa, was the most troublesome finding, as some didn’t even require a username and password. “In some cases, where services used authentication, it was possible to bypass it, allowing access without a correct password. This is one of the most critical problems we found, allowing anyone to remotely and easily hack the robots,” they wrote in a paper released today.
Apa told FORBES: “We found robots have huge attack surfaces, there are a lot of different ways we could interact with the robots.”
Hypothesizing what attacks were most likely, Cerrudo and Apa suggested malicious hackers could turn on cameras and microphones for espionage, disrupt factory production lines, disable human safety features or use a smartphone to control the robot. Talking about the threat to the home, they wrote: “Compromised robots could even hurt family members and pets with sudden, unexpected movements, since hacked robots can bypass safety protections that limit movements.”
Taking their theories to the sci-fi extreme, they added: “Hacked robots could start fires in a kitchen by tampering with electricity, or potentially poison family members and pets by mixing toxic substances in with food or drinks. Family members and pets could be in further peril if a hacked robot was able to grab and manipulate sharp objects.”
IOActive said it had reported the issues to the vendors. It’s awaiting responses and, hopefully, some fixes before revealing just what was vulnerable and how. “We assume these will take probably a couple of months or more,” Apa added. “These are the same problems we see in the Internet of Things, the vendors don’t have a procedure in place to identify vulnerabilities and release a fix.”
Universal Robots spokesperson Thomas Stensbøl told FORBES: “While our products meet their specifications and stated standards, we’ve been made aware of the report and are investigating the potential vulnerability described and potential countermeasures.”
Rethink Robotics said it was aware of the issues, but said two of them were “intentional design features for the research and education version of Rethink’s robots only.” A spokesperson added: “These users need a greater degree of accessibility into the system to create new uses for the robot as part of their research.
“The other items noted by IOActive were already known to us and addressed in Rethink’s latest software release. Like most software providers, we routinely release software updates with new features and capabilities for the robot, as well as bug fixes and security patches.As with all manufacturing equipment, we also expect that the robot is connected to a secure corporate network.”
At the time of publication, the other vendors named above had not responded to requests for comment.
Take the scary predictions of a hacked robot cataclysm with a pinch of salt; the researchers are yet to publicly demonstrate the impact of an attack on any of the production robots. Nevertheless, where there are vulnerabilities there’s always the threat of some real-world danger. And, as Cerrudo and Apa said, these basic hacks should act as a wake-up call to the robotics industry.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.
Source: SANS ISC SecNewsFeed @ March 1, 2017 at 07:00AM