Robots Rife With Cybersecurity Holes

IOActive Labs released a report Wednesday warning that consumer, industrial, and service robots in use today have serious security vulnerabilities.

Robots with inadequate security could be hacked and cause physical harm or be used to spy on unsuspecting owners in the near future.

Researchers at IOActive Labs released a report Wednesday warning that consumer, industrial and service robots in use today have serious security vulnerabilities making them easy targets for hackers or accidental breaches.

In a review of 10 robots, which ranged from home, business, and industrial, IOActive said the risks ranged from insecure communications, authentication issues, weak cryptography and missing authorization. Cesar Cerrudo, CTO of IOActive Labs, said robots suffer from many of the same security shortcomings of as IoT, medical devices, smart cars and plush toys.

“We found nearly 50 cybersecurity vulnerabilities in the robot ecosystem components, many of which were common problems,” according to the IOActive Labs report. As part of its investigation, IOActive analyzed some robot hardware as well as robot ecosystems. Some of the robots examined included SoftBank Robotics’ NAO and Pepper robots, UBTECH Robotics’ Alpha 1S and Alpha 2 robots and Rethink Robotics’ Baxter and Sawyer robots.

Underlying issues within the robots studied for the report, Cerrudo said, included weak default configurations, a big security problem responsible for privacy breaches and DDoS attacks in other internet-connected devices.

“We found robots with insecure features that couldn’t be easily disabled or protected, as well as features with default passwords that were either difficult to change or could not be changed at all,” according to the report.

In a closer examination of the robot ecosystems, IOActive Labs said many of the robot platforms it analyzed use open source frameworks and libraries that suffer from known vulnerabilities such as cleartext communication, authentication issues, and weak authorization schemes.

“In the robotics community, it seems common to share software frameworks, libraries, operating systems, etc., for robot development and programming. This isn’t bad if the software is secure; unfortunately, this isn’t the case here,” according to IOActive Labs.

Cerrudo said the threat of robots is unique in that many are semiautonomous and can wander and impact their immediate physical environment. “The threat is limited today, compared to what robots will be capable of in the future,” he said.

Robot components such as microphones, cameras, network connectivity, remote control applications and mobility features that help robots navigate physical environments need better security, Cerrudo said.

“A hacked autonomous robot can move around as long as its battery continues to provide power. This allows hackers to control an ‘insider threat’ and steal information or cause harm to nearby objects or people,” according to the report.

When asked, Cerrudo could not point to any known cases of a hacked robot causing personal harm or posing a security risk. Nevertheless, he cited several robot-related accidents that he said demonstrate potential risks posed by a hacked robot.

In one case cited by IOActive Labs, a woman was killed in an industrial accident in 2015 in Alabama when an industrial robot restarted abruptly. It cited additional loss of life incidents tied to robotic functions within computerized medical and military equipment.

“We aren’t aware of any robots that have been hacked. But security of the robots we tested are very poor. Eventually in the future, when robots are more mainstream, we expect cybercriminals will start seeing hacking robots as a way to make money,” said Lucas Apa, senior security consultant with IOActive Labs.

That timeline of mass robot adoption is still a little foggy, according to Apa. According to market research firm IDC, worldwide spending on robots will reach $188 billion by 2020, up from $91.5 billion in 2016. According to IDC many of those robots will include consumer, industrial, and service robots for industries such as healthcare and retail.

“The industry doesn’t appear to learn from it’s mistakes,” Cerrudo said. The same developer pressures that lead to cybersecurity missteps in the past are impacting robot development today. “Security still appears to be an afterthought as developers face pressures to introduce new features without sufficient vetting for security and bend over backward to please investors by bringing products to market fast,” he said.

Security needs to a priority for robots from day one, the report states. “Vendors must ensure that a robot’s default configuration is secure… Vendors should make sure that all of their technology providers implement cybersecurity best practices… And vendors must implement Secure Software Development Life Cycle processes,” according to the report.

Suggested articles