Industrial robots, commercial-use robots and domestic robots are highly vulnerable to cyber-attacks and can be controlled by hackers to spy on their users or to cause physical harm.
Hackers can hack into industrial and domestic robots to disable their safety features, neutralise them or to use them to spy on their owners.
Research by information security services firm IOActive has revealed how a number of industrial, commercial and domestic-use robots are vulnerable to attacks from malicious hackers. The firm has highlighted that robots manufactured by the likes of Pepper, NAO, Softbank, Universal and UBTech feature several vulnerabilities.
Earlier this year, IOActive revealed that six of the biggest home, business, and industrial robot brands featured 50 common cyber security flaws in their products. Critical flaws in their robots included insecure communications, authentication issues, weak cryptography, weak default configuration and memory corruption.
While IOActive did not disclose technical details on vulnerabilities that were observed in robots at that time to give the manufacturers time to fix such flaws, the firm has now released a detailed report on security flaws that exist in industrial, commercial and domestic-use robots.
The report reveals that robots can be hacked into and used by hackers as insider threats in organizations, industries or homes. Hackers can basically identify the presence of robots in large networks by searching for their default host names or by identifying their IP addresses by using serial numbers. They can then exploit the lack of authentication to take control of such robots.
For example, the USB Dongle in Asratec's V-Sido CONNECT RC Microcontroller does not enforce a strong Bluetooth PIN to pair with the microcontroller board, thus making it easier for hackers to control or reconfigure the robot remotely. Lack of authentication to confirm user identity can also be exploited by hackers to take control of ROBOTIS' RoboPlus firmware.
Once hackers gain control of robots, they can then interact with exposed API services to control or disable critical functions like collision avoidance or collision detection mechanisms. Once these are disabled, the robots become direct threats to the physical safety of workers around them.
"IOActive has demonstrated how these robots can be hacked remotely (bypassing their safety features) and used to injure humans around them. Even running at slow speeds, their force is more than sufficient to cause a skull fracture. In the case of commercial robots NAO and Pepper, safety features could also be disabled remotely," the firm notes.
Lack of encryption of critical data is another reason why hackers can access security-critical data that are exchanged between users and their robots. For example, the RoboPlus Server transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. This procedure bypasses 'the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys,' said researchers at IOActive.
The researchers observed that while unencrypted HTTP protocol is used for network communication between mobile applications and servers, sensitive information that are stored in Robot cloud networks are also not encrypted before storage or transmission, thereby leaving glaring security holes.
Aside from being virtually hacked into, many robots can also be tampered with physically, thanks to exposed ports and external controllers. An exposed USB port can be used to alter or control robot joints. At the same time, exposed ethernet ports can be used to access a robot's network services and give it new commands. Disconnection of a power port or cable can also be equivalent to a temporary denial of service.
Various robots built by Pepper, NAO, and Robotis have a large number of exposed USB ports, ethernet ports and that allow accessing network services, control the robot joints, update firmware, etc. Exposing unencrypted storage cards such as SD Cards could allow attackers to change robot actions or any other downloadable content that is stored on such cards.
The worrying part of all this is that such vulnerabilities are being discovered even as spending on robotics is expected to touch $188 billion by 2020. A number of countries are planning to build robots for various purposes that include new roles as shop assistants, companions for the elderly, healthcare workers and even law enforcement officers. Robotic surgery has already been linked to 144 deaths in the US.
"We have seen vendors struggling with a growing number of cybersecurity issues in multiple industries where products are growing more connected, including notably IoT and automotive in recent years. This is usually the result of not considering cybersecurity at the beginning of the product lifecycle; fixing vulnerabilities becomes more complex and expensive after a product is released," said Cesar Cerrudo, IOActive’s Chief Technology Officer.
"If we combine powerful burgeoning AI technology with insecure robots, the Skynet scenario of the famous Terminator films all of a sudden seems not nearly as far-fetched as it once did," he added.