Robot creators beware, modern robots are riddled with critical -- and often common -- vulnerabilities that could be exploited to cause real world harm as the world becomes more connected, research from IOActive revealed.
It's no secret that the Internet of Things remains largely insecure and robots are no exception with initial research uncovering nearly 50 cybersecurity vulnerabilities in the robot ecosystem components, many of which were common problems, according to the company's “Hacking Robots Before Skynet” report.
These numbers likely just scratch the surface of the vulnerabilities in these in popular robotics systems as researchers warned more extensive testing would have required a larger investment of time and resources but likely would have yielded more vulnerabilities.
“Most robot components have vulnerabilities, difficult to tell exactly which one is more vulnerable,” IOActive Chief Technology Officer Cesar Cerrudo told SC Media. “It would take a lot of effort to make robots more secure since it's clear that security wasn't considered early in the robot development, this makes changes more difficult and expensive in general.”
He said it would take vendors some months to fix the issues they have found and much more time to make robots more secure.
Researchers tested mobile applications, robot operating systems, firmware images, and other software from vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics, and Asratec Corp.
Many of the high level non-technical vulnerabilities stemmed from insecure communications, missing authorization, weak cryptography, privacy issues, weak default configurations, and vulnerable open source robot frameworks and libraries.
“Most common vulnerabilities involved authentication issues, insecure communications, weak cryptography and privacy issues,” IOActive Senior Security Consultant Lucas Apa told SC Media. “Robot ecosystems represents a huge attack surface for attackers: there are many components and multiple ways that robots can interact with other technology around, so entrypoints are increasing over time with each new feature that vendors add.”
And although it was not the work of a Terminator, robots have already injured humans due to malfunctions without malicious intent. In 2015 a woman was killed by an industrial robot at the Ajin USA plant in Cusseta, Alabama, when an industrial robot restarted abruptly. Researchers warn the consequences could be just as bad or worse once threat actors begin targeting them.
“When you think of robots as computers with arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before,” the report said. “As human-robot interactions improve and evolve, new attack vectors emerge and threat scenarios expand.”
Researchers narrowed down a set of common features that threat actors would most likely find attractive that include features such as microphones, cameras, network connectivity, external services interaction, remote control applications, modular extensibility, and safety features.
Possible attack points also include main software, autonomous robots, known operating systems, network advertisement, fast installation/deployment, backups, and connection ports.
Outside the realm of physical harm, compromised robots could also cause harm to a brand if a consumer facing business owned robot were compromised to use inappropriate language, delivere incorrect orders, or go offline and said “Hasta La Vista” unexpectedly.
“There's no doubt that robots and the application of Artificial Intelligence have become the new norm and the way of the future,” Cerrudo said in a press release. “Robots will soon be everywhere - from toys to personal assistants to manufacturing workers - the list is endless.
Cerrudo told SC Media that “all industries using robots are at risk of robots being hacked and that it could result in money losses, espionage, property damage and even people being hurt depending the kind of robot.”
Even personal assistant devices that don't move like Amazon Alexa and Google Home could present a risk to your security the researchers said.
“Even though they don't move, they can receive voice orders and can communicate with other technology around,” Apa said. “Having other devices near that have speakers is not a very good idea. If they can be hacked: voice orders from a hacked device to another that listen will do the magic.”
Researchers warned that military and law enforcement robots would present the most danger if hacked since they are often used to manipulate dangerous devices and materials, such as guns and explosives.
Developing a plan to defend ourselves from self-aware robots with Austrian accents is a bridge we will have to cross when we get there, but right now researchers recommend we figure out how to secure our robots from malicious threat actors to protect our data and livelihood.
Rubicon Labs Vice President Rod Schultz told SC Media the issues highlighted in the report will become more impactful with each passing year.
"A compromised digital system that can be rapidly turned into a weapon against its owner is a reality that must be addressed, but unfortunately it will remain neglected for many years," Schultz said.
"Today security and encryption are expensive and complex, and addressing them slows down innovation and raises costs. Today there is no punishment for poor security, the price is paid years later."
He added that when the robotics security bill is delivered in 10 years it will not be difficult to map what was highlighted in this report to almost every security breach.
Fortunately the researchers have notified all of the vendors in their study and are actively working with them to better secure their products.