A report from information security services firm IOActive identifies more than 50 common cyber security flaws across six of the biggest home, business and industrial robot brands.
It's nearly 3 years since reports of a baby monitor being hacked caused a considerable stir. Since then the Internet of things has grown rapidly assisted in part by a growth in robotics technology. But how secure is robot technology. The report identifies many vulnerabilities, including several that would leave the robots highly susceptible to cyber attack. The consequence of an attack could include:
- Spying via a robot’s microphone and camera
- Theft of personal or business data
- Reduction in business efficiency
- Serious physical harm or damage to people and property in the vicinity of a hacked robot
Robotics is growing fast. Reports forecast worldwide spending on robotics will reach $188 billion in 2020. South Korea alone is planning to invest $450 million in robotic technology over the next five years. And we are beginning to see robots developed in a wide variety of areas beyond the "traditional" areas of manufacturing and children's toys. Robots are being developed as shop assistants, companions for the elderly, healthcare workers and even law enforcement officers.
But like any machine, robots can malfunction. It's not long since someone was killed when 'not driving' a driverless car. And a woman was killed in 2015 at the Ajin USA plant in Cusseta, Alabama, when an industrial robot restarted abruptly. Even more worryingly, robotic surgery has been linked to 144 deaths in the US.
Of course many robotic accidents will be down to design flaws or operational mistakes. But the presence of cyber security vulnerabilities just adds a new dimension to the way that robots have the potential to cause damage. That's why the paper, “Hacking Robots Before Skynet,” written by IOActive’s Chief Technology Officer, Cesar Cerrudo, and Senior Security Consultant, Lucas Apa, is important.
“There’s no doubt that robots and the application of Artificial Intelligence have become the new norm.” said Cerrudo. And indeed robots are appearing everywhere, in toys, transport, the military, healthcare, smart houses and factory machines. Given the proliferation of robots, a focus on cyber security is vital to ensure that robots are safe.
The research, which looked at systems developed from companies including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics, and Asratec Corp looked at both the robots themselves and their control software and systems. Typical vulnerabilities found include insecure communications, authentication issues, weak cryptography, weak default configuration and memory corruption.
As well as identifying the likely risks from robots to people and businesses, the the report outlines the basic security precautions that should be taken by robot manufacturers to improve the security of robots. These include:
- Security from Day One through the use of Secure Software Development Life Cycle (SSDLC)
- Encryption of robot communications and software updates
- Authentication so that only authorized users have access to robot functionality
- Secure default configuration
- A secure supply chain (not easy to manage!)
- A cyber secure workforce who have been educated about cyber safety
- Security audits on all of the robot’s ecosystem components prior to going into production
It is tempting to focus on functionality during the process of designing robots: after all many robots are at the cutting edge of technology and are delivering new and efficient ways of doing every day tasks. But if those robots are not cyber secure then the potential savings they offer may well start to look very poor compared to the damage they inflict on the businesses and people around them. Ensuring robots are cyber secure should be a fundamental part of the design process.
Please note that IOActive has disclosed these vulnerabilities to all the manufacturers affected. To give them time to effectively resolve these issues, IOActive will not reveal the full technical details of the report. Instead, the report reveals common vulnerabilities and the consequences should they be exploited. The threats unearthed include surveillance (taking control of microphones and cameras), corporate espionage and even physical harm – as hacker-controlled home/factory robots become potentially lethal weapons. Indeed, several people have already having lost their lives in accidents caused by malfunctioning robots.. The implications are even more perilous in areas like healthcare and the military, both of which are soon to leverage robotics.