SoftBank's Pepper & NAO robots highly vulnerable to ransomware attacks

News by Jay Jay

More than 30,000 Pepper and NAO robots used worldwide are vulnerable to ransomware attacks through which cyber-criminals can restrict a business's access to data, impact operations and cause such robots to malfunction.

SoftBank's Pepper and NAO robots, more 30,000 of which have been sold to enterprises worldwide, have been found to contain serious design flaws that enable hackers to carry out potential ransomware attacks, thereby affecting their functionality and causing huge losses to businesses. At the same time, it could take weeks to repair malfunctioning robots, thereby impacting productivity.

Security researchers at IOActive recently carried out a Proof of Concept ransomware attack on a NAO robot to demonstrate how a malicious attacker could take control over or damage such robots. They stated that by exploiting an undocumented function that allows remote command execution, a hacker could change robot default operations, disable administration features, monitor video/audio and send such data to a remote C&C server.

Using the same exploit, a hacker could also elevate privileges, change SSH settings, change root password to disable remote access, and disrupt factory reset mechanism to prevent users from restoring the system or isolating the ransomware.

Yet another flaw that a hacker could exploit is the injection of a custom Python code into a NAO robot's .xar behaviour files. This flaw allows a hacker to stop a robot from functioning, display pornographic content on its tablet display when the robot is turned on, make the robot use curse words while interacting with customers, and make the robot perform violent movements, thereby placing people at risk of injury.

According to the researchers, a hacker can use the same exploits to affect both Pepper and NAO robots as both robots basically use the same operating system with minor variations.

"What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets. The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money," said Lucas Apa, one of the two researchers from IOActive who carried out the Proof of Concept attack.

“Even though our proof of concept ransomware impacted SoftBank's NAO and Pepper robots, the same attack could be possible on almost any vulnerable robot. Robot vendors should improve security as well as the restore and update mechanisms of their robots to minimise the ransomware threat. If robot vendors don't act quickly, ransomware attacks on robots could cripple businesses worldwide," he added.

When asked by SC Magazine UK if the robot industry is following the IoT trend where manufacturers focused more on efficiency and product features compared to design flaws that could pave the way for cyber-attacks, Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team, said that "this is absolutely the case".

"Many of the problems they have found on industrial robots have close parity with the types of flaws I have been finding in smart home products and other consumer embedded devices. IOActive has disclosed that numerous robotic devices allow anyone on the local network to send instructions to the robot. This is something I have also found to be prevalent with connected light bulbs, outlets, and smart home controllers," he said.

When asked if businesses should reconsider their plans of shifting towards automation in light of recent reports on vulnerabilities in popular industrial robots, he added that businesses should move towards automation "with appropriate consideration of the potential impacts".

"Businesses looking to adopt this technology need to first think about the possible impact on their business if these systems are disrupted so that they can implement disaster recovery plans. I do not think businesses need to stop moving towards automation out of concern for security but they definitely should be having security audits of systems before becoming overly dependent on them," he added.

Giovanni Vigna, CTO and co-founder of Lastline, also told SC Magazine UK that robots are often driven by custom firmware which are "optimised for resource efficiency and real-time responsiveness, but not security".

"The shift to automation is not something that can be hampered. However, we need to design the software that controls these device with the same care we use of any critical, Internet-exposed system. The new normal is (or should be) that *everything* is Internet-accessible, even when it is not apparently so," he said.

Mark James, security specialist at ESET, said that considering how security breaches and cyber-attacks can prove costly for enterprises that use robots, "keeping the software patched and up to date will be in most cases the only way of having a secure work force".

"As our thirst for automation expands, one of the concerns has to be the increasing amount of robot type hardware we are seeing not only in the business environment, but also the home and leisure industry. As with any type of automation it is subject to abuse or compromise and is one the reasons we need security built in from design and not something that's added at a later date.

"They [robots] can be compromised and can be infected with malware that could enable an attacker to gain control of the hardware either for ransom or just for malicious reasons- if your organisation has invested hundreds of thousands in the having this type of automation it's highly likely that ransomware attacks will result in seriously considering anything just to get the operation back working again," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews