IOActive warns $91.5bn robotics industry is a huge opportunity for hackers
8 March 2017 | 0
Worldwide robotics spending is set to reach more than $188 billion by 2020, but a report from security consultancy IOActive suggests that robots in business, industry, and in the home are being shipped with serious security vulnerabilities.
The onset of mechanical automation in factories and warehouses could provide opportunity for industrial espionage, sabotage, or even violence against people, the report from IOActive warns. At present, robotics are a nascent technology and are not being held to the same level of scrutiny as more mature technologies.
Worse, failure to properly secure robots could result in death, the report says. The US Department of Labor keeps a tally of injuries and deaths that were caused by robots in the workplace. Although it’s a relatively short list and goes back to 1984, the expected trend for robotics to augment human workers could lead to more incidents.
IOActive researchers analysed robots from a variety of vendors in business, industry and the home, including SoftBank, Ubtech, Robotis, Universal Robots, Rethink Robotics and Asratech Corp. They quickly found 50 vulnerabilities in the ecosystem of these robots, “many of which were common problems”. The paper notes that this was a top-level examination rather than a deep and extensive security audit so there could be many more.
Most of the robots IOActive looked at were using insecure communication channels, whether that was through the Internet, Bluetooth or WiFi, and sending critical information in cleartext or with weak encryption.
They also discovered that “most” of the robots had severe authentication problems for remote access, including critical functions such as programming the robots via external commands.
The report notes: “We found key robot services that didn’t require a username and password, allowing anyone to remotely access those services. In some cases, where services used authentication, it was possible to bypass it allowing access without a correct password. This is one of the most critical problems we found, allowing anyone to remotely and easily hack the robots.”
Speaking with Computerworld UK, IOActive’s CTO Cesar Cerrudo explains: “While I was doing the research of all the vendors and models I didn’t find any mention of security, there was no security research, no one talking about security in robots. An attack could compromise software running the robots and take over the robots – the hacker could use a robot to hack networks, other systems, move around, or conduct espionage because of the built in cameras and microphones.
“An attacker could try to break a robot, or break the system. In that case it would cause huge financial impact to the organisation – robots are becoming cheaper but they are not very cheap, so imagine if a factory or a business with several dozens or hundreds is compromised.”
IOActive found that replacing the software on a compromised robot often proves difficult – with the only options being to return the machine to the factory for repair. A network of compromised robotic systems could, then, have enormous economic consequences for an organisation.
The majority of the robots didn’t need a high level of authorisation for installing applications in the robots or updating their operating systems, so an attacker could install software in the robots without permission to gain full control of them.
IOActive also discovered that the robots it tested were largely not using encryption, were weak on data protection – such as sending private information to remote servers without the user knowing – and had weak default configurations out of the box. Passwords were difficult to change or could not be changed at all. And one of the most popular operating systems for robotics, the Robot Operating System (ROS), has well-known authentication problems, cleartext communication and weak authorisation.
“An attacker that can compromise a robot can control its movement, or gain access to the operating system behind these mechanical parts,” adds senior security consultant for IOActive, Lucas Apa. “Some robots have face recognition functionalities – an attacker once he’s able to enter the OS can reuse these features, for example, obtain the database of the people the robot recognises, or begin recording when a specific face is recognised by the robot.
“A lot of trade secrets move around in industrial facilities,” Apa says. “Having an insider threat that can actually see inside a facility – and some of them can move around the facility – could potentially leak a lot of trade secrets or specific information about manufacturing companies.”
A hacked robot could even be used to physically harm humans or property. The report notes an instance of an automated canon malfunctioning being tested by the South African National Defence Force, which killed nine soldiers and seriously injured 14 others during a testing exercise.
The mechanised joints in many of the robots that are currently being deployed are not fast or strong enough to severely hurt people at the moment. But IOActive expects this to change.
“We will see that the strength and speed of these robots will get better and faster over time,” says Apo. “So the threat of a robot hitting someone, or damaging property, is real and is something that will get more real in the forthcoming years. They are going to be widely adopted soon.”
Alarmingly, Cerrudo warns that the feedback from the vendors hasn’t been so positive. “We sent all the technical details to them and after that, we asked for feedback, and only two vendors came back to us, one said they were going to fix the issues,” he says. “But they didn’t say anything else. The other vendor said the findings were interesting and they should do something about it, but they didn’t say anything else.”
He says that it’s likely government will move to regulate robotics in a way that will place pressure on vendors to ramp up their security.
“Robots are a huge threat if they are hacked, so sooner or later governments will try to put some regulations or standards in play to protect businesses and people,” Cerrudo says. “It’s not the same as a computer or IoT device being hacked, because those are fixed and don’t move around. Robots can move around, push things, hit people. They are a lot more dangerous.”
IDG News Service