The robot industry has become better at building eye-catching demonstration machines than securing them, consultancy IOActive has concluded after pen-testing some famous examples.
After a process described as “not even a deep, extensive security audit”, Hacking Robots Before Skynet suncovered 50 vulnerabilities affecting communications, encryption, authentication and robot open-source software development libraries.
Screw-ups included cleartext communication and weak default passwords (including ones that couldn’t be changed), adding up to the risk that robots could be remotely hacked, co-opted for surveillance, and even held hostage by ransomware. Security auditing seems to be non-existent.
Robots tested were the “human-like” NAO and Pepper robots from SoftBank Robotics (10,000 sales), the OP2 and THORMANG3 from ROBOTIS, and designs using Asratec’s V-Sido technology.
Others examined included the Alpha 1S and Alpha educational toy from UBTECH, and robotic arm systems from Rethink Robotics and Universal Robots, so this was a good cross-section of robots people can buy.
An underlying issue is that many robots emerge from academic research projects that are then later spun out commercially. As with the similar Internet of Things growing pains, security is an afterthought:
A broad problem in the robotics community: researchers and enthusiasts use the same or very similar tools, software, and design practices worldwide.
Everyone replicates the same model, leaving robots susceptible to generic vulnerabilities.
Arnold Schwarzenegger’s Terminator movies are never far away from any discussion of robots running amok, which explains the over-the-top references to “Skynet” in the title of the report.
There are two rebuttals to robot pessimism. First, these robots are not representative of the best systems coming out of big-budget labs, and second, robotics (especially autonomous robotics) is a very green industry and talking up a few security flaws as something frightening is technophobia.
By coincidence, new footage emerged last week of a robot called Handle, a remarkable two-wheeled robot from Boston Dynamics. Presumably, Handle’s autonomy is limited, but it’s not a stretch surely to imagine a Robocop along these lines patrolling a shopping mall, airport or private prison a decade or two from now.
It’s a world that alarms some people, including apparently Boston Dynamics’ owner Alphabet (Google’s parent company), which put the BD up for sale a year ago. Chips in IOActive’s CTO, Cesar Cerrudo, told Newsweek:
A robot is just a computer with arms and legs or wheels. Therefore, the cyberthreat is much bigger. Compromised robots can be used to physically damage something or even hurt or kill someone.
Except that the weak security of current robots is really an extension of weak security in everything else, be that IOT, network equipment, or even (stand up, CloudPets) children’s toys – just with more dire warnings from popular fiction.
Robotics spending was estimated by IDC at $92bn (£74bn) in 2016, the same year that the number of US factory robots increased by 10%. People will continue to build more and more robots whether they’re secure or not.
So far, we should point out, examples of robots hacked maliciously are non-existent. Nobody is likely to be harmed by the weaknesses found by IOActive. But if the industry doesn’t mandate development standards soon, that might change and little by little Arnie could turn from prediction to prophecy.
Source: Naked Security – Sophos @ March 2, 2017 at 09:36AM