Security Architecture, Endpoint/Device Security, IoT, Network Security, Threat Management, Malware, Ransomware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Proof-of-concept ransomware attack transforms robots into extortionists


Researchers from IOActive have developed a proof-of-concept attack that turns ordinarily benevolent robots into malicious, money-grubbing automatons who demand bitcoin as a ransom payment.

According to a Mar. 9 company blog post, IOActive researchers Cesar Cerrudo and Lucas Apa wrote code to compromise the NAO and Pepper robots from SoftBank Robotics, both of which share nearly the same OS System and vulnerabilities. One of these vulnerabilities -- an undocumented function that enables remote command execution -- was just publicly disclosed today. 

"Even though SoftBank was notified January 2017, we aren't aware of any fix available yet," the blog post reads. SC Media has reached out to SoftBank for comment.

The attack involves using this vulnerability to infect files, in order to modify default operations, disable admin features, and monitor video and audio. Additionally, the attackers can elevate privileges, change SSH settings and the root password, disrupt the factory reset mechanism, communicate with a command-and-control server.

Finally, the robot is transformed from an amiable ally into an avaricious extortionist by injecting custom Python code into the behavior files.

"I've been hacked! I need bitcoins!" states an infected NAO robot in an ominous voice, in a video that IOActive posted. "I love bitcoins! Give me bitcoins now or prepare to die!"

What's more, IOActive notes that the ransomware is difficult to uninstall. "Having a technician fix a robot problem could take weeks depending on availability," the blog post states.

NAO is a humanoid robot that aids in research and education robots in the world, with 10,000 already sold worldwide. Pepper is a humanoid robot used in telecom retail stores that is capable of recognizing human emotions and responding accordingly. 

According to IOActive, in a real-world scenario robots infected with ransomware would fail to function properly until they were paid, and could potentially even display pornographic content on their screens or cause physical harm in the case of a industrial robot.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.