IOActive security researchers Cesar Cerrudo and Lucas Apa published a paper in which they revealed that much of today’s robot technology can be hacked, which can put people’s lives at risk.
Rise Of Robots
As the artificial intelligence industry is booming, it’s also taking the robot industry along with it into mainstream markets. We’ve already seen vacuum robots, telepresence robots, and toy robots, but as robot technology becomes more advanced and robots themselves become smarter, we may want them around our houses to do other household tasks.
According to the IOActive paper, forecasts show that there will be investments of $188 billion in robotics by 2020. A good portion of that will likely be invested into factory robots as businesses try to take advantage of the cheaper labor that robots will offer for certain tasks. We'll probably also see robots used as companions for the elderly, customer assistants in stores, healthcare attendants, and even as security guards or law enforcement agents.
Security Risks For Robots
As we’ve seen from the Internet of Things (IoT) world, security doesn’t seem to be the main priority for most manufacturers. This ends up causing many problems over long periods, but the problems don’t always affect the customers of those products. Often, the real targets of the attackers are internet services, which the attackers intend to bring down by taking over IoT devices.
Meanwhile, the owners of the IoT devices may be merely inconvenienced by devices that respond more slowly to commands. This creates a market issue wherein the vendors of the insecure IoT devices don't have any incentive to improve the security of their products.
When smart things such as self-driving cars or robots are hacked, the consequences could be much more severe, and even life-threatening. That should make software security a much bigger priority for the manufacturers of these products, especially because the customers of these types of products can be the intended targets of the attackers. However, we’re not seeing much evidence that the vendors are taking these issues seriously so far.
Problems Found With Robot Security
The robot ecosystem includes the physical robot, its operating system, firmware, software, remote control applications, cloud services, and more. The ecosystem represents a large attack surface, which could give potential attackers plenty of opportunities to exploit.
The IOActive researchers tested the components that would be easier to access by potential attackers, such as the mobile applications, operating systems, firmware, and software of robots from multiple companies.
The team didn’t do an extensive security audit of the robots’ ecosystems, but its tests have already uncovered almost 50 flaws in robots from SoftBank Robotics, UBTECH Robotics, Robotis, Universal Robots, Rethink Robotics, and Asratec Corp. These companies sell business and industrial robots, but also home robots.
The researchers found that most of the robots were using insecure communications over Internet, Bluetooth, and Wi-Fi. The robots were being updated or controlled over a cleartext channel or one that had weak encryption. And the robot companies weren’t even requiring a username and password to access the robot’s systems, which meant that anyone could control critical components of the robots remotely.
The team also found that the robots enabled insecure features by default that were hard to disable and easy to exploit by attackers. To make things worse, many of the robots used open source frameworks that were known to have multiple unpatched vulnerabilities, such as cleartext communication, authentication issues, and weak authorization schemes.
Consequences Of Hacked Robots
According to the IOActive researchers, a home robot could be exploited to spy or even hurt family members and pets with sudden unexpected movements. Even if the robots have limits on movement for safety reasons, those could be bypassed by attackers.
As home robots become “smarter” they could also be exploited to start fires by tampering with the electricity of the house, mix toxic liquids with foods and drinks, or use sharp objects to hurt pets. Robots integrated with home security systems could also be hacked to deactivate the alarms and cameras, for example, as well as unlock the doors for burglars.
Once a robot is hacked, it could be very difficult to recover it from the attacker, which means that thousands of dollars could be lost as an investment in these robots.
Hacked robots purchased by businesses could suffer similar consequences, but the attacks could be more tailor-made for the business environment. For instance, the robots could deliver incorrect orders, could use inappropriate language with customers, or could go offline, which could hurt the company’s revenues. The attackers controlling the robots could also steal credit card data or trade secrets and other sensitive information.
Industrial robots could be even more dangerous, as they are usually larger and can do more precise, potentially lethal, movements. Industrial robots also tend to be configured exactly the same way in large numbers and can all be controlled from a single location. That makes it easier for an attacker to take control over many of them at the same time.
Improving Robot Security
The IOActive researchers proposed the following improvements to the security of robots:
- Security from Day One: Vendors must implement Secure Software Development Life Cycle (SSDLC) processes.
- Encryption: Vendors must properly encrypt robot communications and software updates. Authentication and Authorization: Vendors must make sure that only authorized users have access to robot services and functionality.
- Factory Restore: Vendors must provide methods for restoring a robot to its factory default state. Secure by Default: Vendors must ensure that a robot’s default configuration is secure.
- Secure the Supply Chain: Vendors should make sure that all of their technology providers implement cybersecurity best practices.
- Education: Vendors must invest in security education of everyone in the company, including management, which often decides whether a robot should have a certain feature or not
- Vulnerability Disclosure: Vendors should make it easier for researchers to report security vulnerabilities
- Security Audits: All robots must undergo an extensive security review before going into production
As robots are still not yet mainstream, the IOActive security researchers recommended that now is the best time to ensure they are secure, before they become a priority target for malicious attackers. It remains to be seen if the robot vendors will listen.