As SC Media reported yesterday, IOActive has discovered more than 50 vulnerabilities across multiple robots within the home, business and industrial sectors. A number of these have been classified as being of either high or critical risk. Which leaves a whole bunch of robots at risk of being attacked by hackers, cyber-criminals or nation-state actors.
Vulnerabilities have been identified within robots from leading vendors in the robotics sector, including: Rethink Robotics (Baxter and Sawyer robots), ROBOTIS (ROBOTIS OP2 and THORMANG3 robots), SoftBank Robotics (NAO and Pepper robots), UBTECH Robotics (Alpha 1S and Alpha 2 robots) and Universal Robots (UR3, UR5, UR10 robots).
The paper 'Hacking Robots Before Skynet' [PDF] was the result of six months intensive testing of mobile applications, robot operating systems, firmware images and miscellaneous software by IOActive researchers Cesar and Lucas.
It turns out that Cesar is none other than IOActive chief technology officer Cesar Cerrudo, while Lucas is IOActive senior security consultant Lucas Apa. SC Media took the opportunity to speak to both about their findings.
"While there is no evidence of these vulnerabilities being exploited in the wild," Lucas told us, "most of the recent accidents that involved robots were related to their human safety protections. If these protections can be disabled on a hacked robot, it would be really hard to distinguish between an accident and a cyber-attack."
Right now, it seems that there is not enough profit for cyber-criminals to develop specialised malicious software to affect them, mainly because robot adoption is not mainstream yet.
"There are many possible consequences and most of them are not pretty," Cesar warns. "A hacked robot can be used to spy on people with its cameras and microphones, it can also be used to hack other robots and systems and it could be used to damage property and maybe even hurt people."
Then there's the possibility that cyber-criminals could install ransomware on robots and ask for money to get the robot back – if not then you can't use your robot anymore.
"For a nation-state, it could be an interesting target on industrial facilities and business since a hacked robot can be used to steal secrets," Cesar says, "and also used as a platform for further attacks."
The trouble is that right now it's almost impossible to tell for regular users if a robot has been hacked or not, so it's a good target for APT attacks.
So just how 'real world' is the robot hacking threat according to other security industry experts? Mike Pittenger, vice president of security strategy at Black Duck Software, is in no doubt that we will have already seen the consequences.
"Drones (unmanned aerial vehicles) are a form of robot," he explains, "and an attractive target for our adversaries. Taking control of a drone would certainly disrupt a military mission, and could possibly turn a military's weapons on itself."
Indeed, Iran claims to have already done the former. "It's not unreasonable to think the same could be done to robots having arms and legs instead of wings," Pittenger warns.
Deral Heiland, research lead at Rapid7, agrees that the problem is both real and current. "On the personal level, the boom in IoT technology that we are now seeing has led to robots in various forms becoming part of our daily life," Heiland says. "It is critical that manufacturers take action to properly secure robots prior to going to market."
And Mike Ahmadi, global director for critical systems security at Synopsys, thinks that once external connectivity is introduced, industrial robots will become potential security timebombs, wherein any system where vulnerabilities are not constantly audited and managed eventually becomes easier to compromise over time, as the number of vulnerabilities climbs.
"The amount of damage that can be done," he says, "is fully dependent on the capabilities of the robot, and simply hacking a robot to operate slightly out of a specified configuration mode can lead to everything from minor damage to death."
Despite all of that, Pascal Geenens, Radware EMEA security evangelist, points out that "earlier generations of household robots still in use are benign and their capabilities or brains are limited." It's the new generation we need to be concerned with, as 'connected' means there must be "some sort of private data stored on the device, potentially linked with more information in the cloud that can be compromised".
We asked what Mark Kuhr, co-founder and CTO at Synack, thought early adopters should be doing to protect home robots given that there's no McAfee Robot Antivirus available yet. "The robot vendors, like any other software vendor, need to perform security assessments regularly and as systems are being developed," Kuhr insists. "Secure development lifecycles apply to any system, and robotics manufacturers need to be aware of the avenues of attack on these systems by a determined adversary."
Lucas Apa reckons that every project should "start with education and awareness". If vendors can integrate these into their early stages of design, they will create more secure products. "End-users will mostly rely on trusting vendors and their software," Lucas concludes, "as it is unrealistic that everyone will have the technical skills to configure each robot on their own for hardening purposes."
As Ian Hughes, internet of things analyst at 451 Research, adds, "A robot is no different from any other complex connected device. It is a compound system but will incorporate a primary operating system, such as Linux, that needs to remain patched and administered as with any gateway, device or server."
If it has a central point of control this needs to be secured not shipped with a standard username and password left unchanged. "Subsystems," Hughes warns, "should be designed to only communicate in ways that are essential to its operation."
The IOActive report concludes that many of the cyber-security issues in robotics could be prevented by adopting well-known principles in information security.
“We found it possible to hack these robots in multiple ways, made a considerable effort to understand the threats and took care in prioritising the most critical of them for mitigation by the affected vendors. This knowledge enabled us to confirm our initial belief: it's time for all robot vendors to take immediate action in securing their technologies."