In-brief: a report by the firm IOActive warns that industrial and home robots may be vulnerable to remote, software based attacks.
The term “robot” comes from the Czech word robota, meaning “forced labor.” And, while we might like to think of them as aspirational creations – marvels of engineering and maybe even future companions– most robots today are laborers, plain and simple. In fact, despite the campaign rhetoric about global trade with China stealing jobs, its has been pointed out that robots, not guest workers, account for the vast majority of US manufacturing that have been lost in recent decades. A study by Ball State estimates that just 13 percent of US manufacturing job losses are due to trade, with the rest attributable to automation.
But as more jobs are turfed to our tin-suited friends, there are new risks introduced to businesses, homes and our economy. Among those is the risk of robot hacking, according to researchers at the firm IOActive, who found that industrial and home robots they studied frequently contained exploitable software vulnerabilities that could leave them vulnerable to hackers.
In a paper released on Wednesday, IOActive researchers Cesar Cerrudo (@cesarcer) and Lucas Apa (@lucasapa) report that they discovered 50 cybersecurity vulnerabilities in what they term “robot ecosystem components” for common industrial, business and home robots. In an uncanny repetition of the problems that have long plagued their desktop bound cousins, the robots studied by the pair failed to use strong authentication controls or encryption to protect sensitive communications to and from the device. Default settings for robots frequently left them vulnerable to tampering, including the use of default passwords that were either “hard coded” (that is: could not be changed) or were difficult to alter.
Notably: a common open source robot framework, the Robot Operating System (or ROS) ROS suffers from many known cybersecurity problems: sending communications as cleartext, weak authentication and authorization schemes, and so on. ROS is used by several robots from different vendors, spreading the insecurity around.
It’s important to note that the researchers did not have physical robots to test their hacks on in all cases. Rather, they identified exploitable holes in the software and services that manage and control robot hardware. And, as the researchers note, their research wasn’t exhaustive. Among the platforms that were tested were the NAO and Pepper robots by SoftBank Robotics, the UBTECH Alpha 1s and Alpha 2, the OP2 and THORMANG3 robots by Robotis and the Baxter and Sawyer robots by Rethink Robotics. “Each robot we tested had many of the issues,” the researchers wrote. “While we didn’t test every robot available on the market today, the research did lead us to believe that many robots not included in our assessment could have many of these same cybersecurity issues.”
The robot security problem ends up as the Internet of Things problem, writ small, Cerrudo and Apa write. As with the makers of other “connected” and “smart” devices on the Internet of Things, robot manufacturers are being driven by market pressures to add more interactive features to their creations that improve accessibility, usability, and interconnection.
However, more sensors and interactive features also increase the attack surface of the robot, making them “more fragile from a cybersecurity perspective,” the IOActive researchers report. Microphones and cameras can be used for cyber espionage and surveillance. Network connections allow remote attacks on robot platforms, with “a hacked robot becomes an inside threat, providing all of its functionality to external attackers.” The creation of application ecosystems for robots creates the possibility of malicious applications that can grant attackers control over the robot or alter its behavior – as is the case with smart phones. And, as with other Internet of Things platforms, weak control over software (or “firmware”) updates and integrity leave the possibility of malicious code being installed on the robot that gives remote attackers control over the device, or that disables critical safety features.
The consequences of compromised robots could be far more serious than hacked laptops or mobile devices, however. Robots are already responsible for more than three dozen injuries and deaths in U.S. workplaces. Increased reliance on robots and increased connectivity creates the possibility of true cyber-physical attacks with compromised robots causing damage to facilities other robots or their human co-workers.
Cerrudo and Apa say that robot manufacturers should take a cue from the software industry, implementing standard security features and testing prior to releasing their product to market. Cybersecurity should be a focus early on in the product life-cycle and steps should be taken to manage the security and safety of the devices over their lifespan.
This isn’t the first warning about the dangers of software-driven robots. In April, 2015, researchers from the University of Washington warned that the Raven II surgical robot was highly susceptible to hacking, including attacks that could cause “jerky motion of robot’s arms” or render the surgical robot “motionless” and “almost unusable.” The paper underscores the growing threat of software based attacks on surgical devices used in high risk scenarios.