Researchers at security firm IOActive say they’ve found nearly 50 cybersecurity problems in components from a number of major manufacturers of domestic, business and industrial robots.
The most serious vulnerabilities were authentication weaknesses that could be used to remotely control robots, but they also found missing authorization controls, weak cryptography, and weak default configurations.
The flaws are similar to what researchers regularly find in Internet of Things or Smart TVs, webcams and connected toys, though IOActive CTO Cesar Cerrudo and senior security consultant Lucas Apa argue in a new report that hacking a robot could be a more serious threat since they can cause physical risk to humans.
The analysis was limited to software, firmware images, operating systems and robots’ mobile apps, however IOActive says this was enough to find vulnerabilities that could be used by attackers to exploit their kinetic capabilities or turn a robot into a surveillance device.
“We had access to the core components, which provide most of the functionality for the robots; we could say these components bring them to life,” write Cerrudo and Apa.
The researchers claim to have found flaws affecting mini humanoid robots, NAO and Pepper, from SoftBank Robotics, and the Alpha 1S and Alpha 2 from UBTECH Robotics. Though these aren’t particularly daunting robots, flaws were also found in the 140cm tall Thormang3, from ROBOTIS, which features a menacing gripper. They also found issues in industrial robots from Universal Robots and Rethink Robotics’ Sawyer and Baxter robots.
The researchers singled out weak authentication as the most dangerous flaw, highlighting that most robots exposed services that allowed them to receive external commands or be programmed remotely via software or a mobile app.
“We found key robot services that didn’t require a username and password, allowing anyone to remotely access those services. In some cases, where services used authentication, it was possible to bypass it, allowing access without a correct password,” the researchers wrote.
They also noted that mobile and software connected to the robots through the Internet, Bluetooth, and Wifi, didn’t properly secure the connection, either by sending data in the clear or using weak encryption.
Meanwhile, a lack for authorization checks could allow an attacker to install software in some robots without permission.
As with other IoT devices, cybersecurity appears to take second place to ease of use in robots. They found insecure features that can’t be disabled or protected, and features with default passwords that are difficult to change or fixed. The fixed default passwords could be abused for a large scale attack since attackers know that certain models share the same passwords.
IOActive says it reported the issues to the affected vendors and will not be disclosing details of their findings until a later report.
IOActive’s Apa told Forbes that vendors will probably take a a couple of months or more fix the issue.
"These are the same problems we see in the Internet of Things, the vendors don't have a procedure in place to identify vulnerabilities and release a fix,” he said.
The researchers’ threat modeling for outline several ways attackers could abuse robots that tend to be designed for accessibility, ease of use, with real-time remote control from mobile applications.
The robot’s mic and camera could be used as a surveillance tool if the robot is hacked, in turn potentially giving its full functionality to external attackers. In this way, a hacked robot could be a new insider threat for the enterprise that’s capable of sabotaging a business, say by delivering incorrect orders, or even physically hurt customers or employees. Home robots are also expensive, and could be a target for ransomware or worse, made to harm family members. As the repot notes, a number of robot-related deaths have happened in factories already, but if an incident stops production
Fortunately, the two industrial robot makers, Universal Robotics and Rethink Robotics, have acknowledged and responded to IOActive’s findings.
Rethink Robotics released this statement:
“Rethink Robotics is aware of the items that IOActive pointed out, and safety and security have always been a top priority for our company. Two of the items noted by IOActive are intentional design features for the research and education version of Rethink’s robots only. These users need a greater degree of accessibility into the system to create new uses for the robot as part of their research.
The other items noted by IOActive were already known to us and addressed in Rethink’s latest software release. Like most software providers, we routinely release software updates with new features and capabilities for the robot, as well as bug fixes and security patches. As with all manufacturing equipment, we also expect that the robot is connected to a secure corporate network.
We thank IOActive for their efforts in this important area. It will help make the community stronger.”
Universal Robotics said in a statement:
“While our products meet their specifications and stated standards, we've been made aware of the report from IOActive and are investigating the potential vulnerability described and potential countermeasures.”