Home >IOActive finds security vulnerabilities in home, business & industrial robots
IOActive finds security vulnerabilities in home, business & industrial robots
02 March 2017
Leader in research-driven security services, IOActive, has released a new paper exposing numerous vulnerabilities found in multiple home, business, and industrial robots.
The array of vulnerabilities identified in the systems evaluated included many graded as high or critical risk, leaving the robots highly susceptible to cyberattack. Attackers could employ the issues found to maliciously spy via the robot’s microphone and camera, leak personal or business data, and in extreme cases, cause serious physical harm or damage to people and property in the vicinity of a hacked robot.
The research paper, “Hacking Robots Before Skynet,” is authored by IOActive’s Chief Technology Officer, Cesar Cerrudo, and Senior Security Consultant, Lucas Apa, and is available on the IOActive website here: http://ioac.tv/hackingrobots.
“There’s no doubt that robots and the application of Artificial Intelligence have become the new norm and the way of the future,” said Cerrudo. “Robots will soon be everywhere - from toys to personal assistants to manufacturing workers - the list is endless. Given this proliferation, focusing on cybersecurity is vital in ensuring these robots are safe and don’t present serious cyber or physical threats to the people and organizations they’re intended to serve.”
During the past six months, IOActive’s researchers tested mobile applications, robot operating systems, firmware images, and other software in order to identify the flaws in several robots from vendors, including: SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics, and Asratec Corp.
“In this research, we focused on home, business, and industrial robots, in addition to robot control software used by several robot vendors,” said Apa. “Given the huge attack surface, we found nearly 50 cybersecurity vulnerabilities in our initial research alone, ranging from insecure communications and authentication issues, to weak cryptography, memory corruption, and privacy problems, just to name a few.”
According to Cerrudo and Apa, once a vulnerability has been exploited, a hacker could potentially gain control of the robot for cyber espionage, turn a robot into an insider threat, use a robot to expose private information, or cause a robot to perform unwanted actions when interacting with people, business operations, or other robots. In the most extreme cases, robots could be used to cause serious physical damage and harm to people and property.
The report also outlines basic security precautions that should be taken by robotic vendors to improve the security of robots, including implementing Secure Software Development Life Cycle (SSDLC), encryption, security audits, and more.
“We have already begun to see incidents involving malfunctioning robots doing serious damage to their surroundings, from simple property damage to loss of human life, and the situation will only worsen as the industry evolves and robot adoption continues to grow,” continued Cerrudo. “Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction.”
All vendors included in the paper were alerted of the various specific vulnerabilities identified within their products many weeks ago in the course of responsible disclosure. Specific technical details of the vulnerabilities identified will be released at the conclusion of the disclosure process when vendors have had adequate time to address the findings.