view counter

CybersecuritySerious security vulnerabilities found in home, business, industrial robots

Published 6 March 2017

Researchers have identified numerous vulnerabilities in multiple home, business, and industrial robots available on the market today. The vulnerabilities identified included many graded as high or critical risk, leaving the robots susceptible to cyberattack. Once a vulnerability has been exploited, a hacker could potentially gain control of the robot for cyber espionage, turn a robot into an insider threat, use a robot to expose private information, or cause a robot to perform unwanted actions when interacting with people, business operations, or other robots. In the most extreme cases, robots could be used to cause serious physical damage and harm to people and property.

Seattle, Washington-based IOActive, Inc. last week released a new paper identifying numerous vulnerabilities found in multiple home, business, and industrial robots available on the market today. The vulnerabilities identified in the systems evaluated included many graded as high or critical risk, leaving the robots susceptible to cyberattack. Attackers could employ the problems found maliciously to spy via the robot’s microphone and camera, leak personal or business data, and in some cases, cause serious physical harm or damage to people and property in the vicinity of a hacked robot.

The research paper, Hacking Robots Before Skynet, is authored by IOActive’s Chief Technology Officer, Cesar Cerrudo, and Senior Security Consultant, Lucas Apa.

“There’s no doubt that robots and the application of Artificial Intelligence have become the new norm and the way of the future,” said Cerrudo. “Robots will soon be everywhere - from toys to personal assistants to manufacturing workers - the list is endless. Given this proliferation, focusing on cybersecurity is vital in ensuring these robots are safe and don’t present serious cyber or physical threats to the people and organizations they’re intended to serve.”

IOActive says that during the past six months, company’s researchers tested mobile applications, robot operating systems, firmware images, and other software in order to identify the flaws in several robots from vendors, including: SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics, and Asratec Corp.

“In this research, we focused on home, business, and industrial robots, in addition to robot control software used by several robot vendors,” said Apa. “Given the huge attack surface, we found nearly 50 cybersecurity vulnerabilities in our initial research alone, ranging from insecure communications and authentication issues, to weak cryptography, memory corruption, and privacy problems, just to name a few.”

According to Cerrudo and Apa, once a vulnerability has been exploited, a hacker could potentially gain control of the robot for cyber espionage, turn a robot into an insider threat, use a robot to expose private information, or cause a robot to perform unwanted actions when interacting with people, business operations, or other robots. In the most extreme cases, robots could be used to cause serious physical damage and harm to people and property.

The report also outlines basic security precautions that should be taken by robotic vendors to improve the security of robots, including implementing Secure Software Development Life Cycle (SSDLC), encryption, security audits, and more.

“We have already begun to see incidents involving malfunctioning robots doing serious damage to their surroundings, from simple property damage to loss of human life, and the situation will only worsen as the industry evolves and robot adoption continues to grow,” continued Cerrudo. “Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction.”

IOActive notes that all vendors included in the paper were alerted of the various specific vulnerabilities identified within their products many weeks ago, in the course of responsible disclosure. Specific technical details of the vulnerabilities identified will be released at the conclusion of the disclosure process when vendors have had adequate time to address the findings.

— Read more in Cesar Cerrudo and Lucas Apa, Hacking Robots before Skynet (IOActive, 2017)