Preventing Skynet: Securing robotic and IoT devices
Preventing Skynet: Securing robotic and IoT devices

Unsecure Internet of Things (IoT) devices and the increasing use of automation are leading to vulnerable robotic device, robots if you will, that if compromised by a hacker could inflict physical harm to human not to mention opening the device possibly compromising all types of personal information.

While Terminators, droids and fantasy western resort hosts may all come to mind with the word, robot also applies to several automated industrial components used in manufacturing and even police and military tools used to defuse bombs.

“When you think of robots as computers with arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before,” an IOActive report on robots and artificial intellegence said. “As human-robot interactions improve and evolve, new attack vectors emerge and threat scenarios expand.”

Manufacturers need to consider security upfront before purchasing robots as many of the current systems can't be reset to factor settings and end users often don't have the abilities to remove malware or correct issues in the event of a compromise.

John Shearer, co-founder and chief executive officer of DarkLight recommends that users that have already adopted vulnerable robotic technology hire a third party to run a security audit on these devices to determine the monetary risk that the devices present to their firm in the event of a breach or compromise.

They should then take these third-party reports to the manufacturers and use the reports to hold manufacturers accountable, Shearer said. He did acknowledge the likelihood that such actions might result in a legal battle, but noted it's important to understand that these exposures are a direct result of the manufacture's negligence.

“As automation, which includes the current buzzword ‘robot' (I can argue that a toaster is a robot, especially if I can control it from my smart phone 5k miles away!), proliferates throughout our daily lives legal issues will be compounded,” Shearer said. “Particularly in the area of liability exposure. Product safety liability, personal liability, cyber risk exposure.”

Last month, IOActive researchers revealed nearly 50 cybersecurity vulnerabilities in robot ecosystem components, many of which were common problems, in their “Hacking Robots Before Skynet” report.

Researchers noted that these numbers likely only scratch the surface of the vulnerabilities in these systems and added that coupled with artificial intelligence (A.I.), these threats are significantly amplified. The increasing push for these technologies from both the public and private sector means that sooner or later we will have to deal with the repercussion of these technologies if they aren't properly secured.

IOActive told SC Media  that it had contacted the manufactures of the products tested in their report and more than a month later they have not heard back from any and while researchers say it's possible that some of the manufactures have taken action, the likely scenario is nothing has been done.

Several of the vulnerabilities could easily be corrected, but, on the other hand, some of the most critical vulnerabilities are easily exploitable. This includes the abundance of exposed ports which could be used to reprogram robots or the lack of authentication protocols, IOActive Senior Security Consultant Lucas Apa told SC Media.

“They [robots] are not like a server that's only stored in a server room where it's protected,” Apa said. “Robots are meant to work with people,” he said adding that exposed ports could allow anyone with physical access to the device to compromise it and the lack of authentication could allow compromises from anyone on the same Wi-Fi network.

The addition of A.I. software to the automation process could add more value to the wealth of information an attacker could gain from compromising the robot. Such as, who the device is interacting with, the emotions of those people, and any other conceivable information that can be gleaned from A.I. analytics, Apa said.  

Proof of concept attacks against IoT devices have already raised awareness of the security issues that robots pose and recent pushes from both the public and private sector could mean a bigger target for attackers looking to exploit vulnerabilities in the wild.  

Last month, U.S. Commerce Secretary Wilbur Ross called for a more widespread adoption of robotics and job automation in order to maintain a competitive advantage in the global economy.

"We need technological advance,” Ross told CNBC's Squawk Alley. And if we don't employ robots, the Chinese will, the Vietnamese will, the Europeans will, the Japanese will. Everyone will."

Apa said that if government officials are calling for more robots, officials should also take the opportunity to call for more security in them adding that government regulation could help ensure manufactures secure their devices.

In order to address the threats that these technologies will inevitably present, Apa said manufacturers need to implement the ability for end users to factory reset systems in the event of an error or compromise. Currently many devices offer no such option and would need to be sent back to the manufacturer to address issues, he said.

In addition, pressure from industry groups such as the Institute of Electrical and Electronics Engineers (IEEE) and National Institute of Standards and Technology (NIST) and government initiatives are already leading to an increased awareness of the need for more secure products although Apa did say these groups should push for a faster adoption of secure technologies and be more proactive.

While it is possible government subsidies could help curb the costs implementing such security features, Shearer said it's highly unlikely that Washington would pass such measures.

“The economic problem is the cost of designing and implementing security into a $20 consumer product is not realistic,” Shearer said. “Unfortunately, that device can be the entry point into your ‘secure' network.”  

Rather than wait for regulation, Shearer said the abundance of insecure robotic devices presents an opportunity for component manufactures to start baking security in at a low level to help mitigate risks that companies will inevitably have to address in the event of a compromise. He said component suppliers of IoT devices need to build security capabilities and interfaces directly into the chips as well as comply with standards and interoperability.

The greater implementation of robotics, automation and A.I. should be taken as an opportunity to correct the wrongs of insecure IoT devices and robots could be a starting point to start correcting the problems that ran rampant in unsecured IoT devices, researchers said.

 “The security posture of robotics must take into account the physical security of people and things around it as well as the digital security of the information and networks it's able to access,” Ken Spinner, VP of worldwide field engineering at Varonis told SC Media. “The default for robotics should be security with additional mechanisms and fallbacks to monitor the physical and digital behavior of the machine.”

Experts agree, manufacturers need to step up and some have already taken dramatic steps to improve the quality of their products.

Strategic Cyber Ventures Chief Operations Officer Hank Thomas told SC Media that he is familiar with at least one global auto manufacturer that ultimately decided to turn around an entire cargo ship from China that was full of electronic components, when they learned that the merchandise was compromised by the agents of the People's Liberation Army (PLA).

“Manufactures need to modernize their supply chain analysis programs and take where their components with embedded microcode come from seriously,” Thomas said. “It's not just about counterfeit parts, it's about tampered parts that can be controlled or manipulated when desired by a nation state adversary or criminal.”

He added that practices like this are common in places like China where the state owns, controls, or has significant influence over most private technology companies.

And while steps have been take to mitigate the added risk of using connected devices and robots, some researchers feel that there are no great incentives to mitigate security vulnerabilities due to lack of proper legal or regulatory guidance or mandates.

Distil Networks Managing Director of Security Research Stephen Singam says that without proper regulations, robots have the potential to improve lives and at the same time possibly cause great harm.

“My main concern is whether or not we are prepared to determine a strategy for governing robots and A.I.,” Singam said. “The ultimate goal, of course, is to prevent harm to humans, which includes not only physical harm, but also data privacy.”

He added that minimum security requirements should include performing a comprehensive risk assessment that looks at the data that is collected by the object's automation and robotic systems.

Researchers said the cybersecurity concerns of robots could also lead to interesting legal challenges concerning data protections. Business will need to clarify who owns data and to what extent they can expect consumers and incidental third parties to bear the responsibility for any potential breach – or to what extent those rights can be waived, Ben Weinberger, VP of Solutions at Prosperoware told SC Media.

“As we stand today, most wearables ‘leak' a tremendous amount of data – and that will only continue to increase as we further develop capabilities and understand uses for various devices,” Weinberger said. “The public should be much more concerned about what data they are giving away so freely and what uses it might be put to, especially as regards ones which may be used against them (in areas such as health and insurance underwriting as well as credit scoring).”

Furthermore, Weinberger agreed that legislation is lagging behind with regard to being able address these issues, though he did acknowledge that entities such as the Security Exchange Commission (SEC) and Federal Trade Commission (FTC) seem ready and willing to jump into the fray.

One of his solutions he proposes for mitigating the risks of robots is to treat robot access credentials the same as user and service accounts by limiting their access only to the information they need to do their job and by monitoring and alerting on any suspicious behavior like account hijacking

Researchers also said that while securing the robot from outside human interference is important, it's also important to secure robots from machine interference as well.

“Since the Internet provides connectivity to all robots and IoT devices, it is conceivable that AI and robot paths have already crossed,” Plixer Chief Executive Officer Michael Patterson told SC Media. “If AI starts making decisions for us that we don't like, it could introduce a new form of hacking.”

Privacy, and security are serious issues that manufacturers need to address before it's too late. Researchers agree that end users need to demand more secure products in order to push manufactures to prioritizing these needs and some fear government intervention may be needed to better address the problems. Either way, connected devices will remain targets by nature of design and every insecure system is a potential compromise waiting to happen.