Proof-of-concept ransomware attack transforms robots into extortionists
Proof-of-concept ransomware attack transforms robots into extortionists

Researchers from IOActive have developed a proof-of-concept attack that turns ordinarily benevolent robots into malicious, money-grubbing automatons who demand bitcoin as a ransom payment.

According to a Mar. 9 company blog post, IOActive researchers Cesar Cerrudo and Lucas Apa wrote code to compromise the NAO and Pepper robots from SoftBank Robotics, both of which share nearly the same OS System and vulnerabilities. One of these vulnerabilities -- an undocumented function that enables remote command execution -- was just publicly disclosed today. 

"Even though SoftBank was notified January 2017, we aren't aware of any fix available yet," the blog post reads. SC Media has reached out to SoftBank for comment.

The attack involves using this vulnerability to infect files, in order to modify default operations, disable admin features, and monitor video and audio. Additionally, the attackers can elevate privileges, change SSH settings and the root password, disrupt the factory reset mechanism, communicate with a command-and-control server.

Finally, the robot is transformed from an amiable ally into an avaricious extortionist by injecting custom Python code into the behavior files.

"I've been hacked! I need bitcoins!" states an infected NAO robot in an ominous voice, in a video that IOActive posted. "I love bitcoins! Give me bitcoins now or prepare to die!"

What's more, IOActive notes that the ransomware is difficult to uninstall. "Having a technician fix a robot problem could take weeks depending on availability," the blog post states.

NAO is a humanoid robot that aids in research and education robots in the world, with 10,000 already sold worldwide. Pepper is a humanoid robot used in telecom retail stores that is capable of recognizing human emotions and responding accordingly. 

According to IOActive, in a real-world scenario robots infected with ransomware would fail to function properly until they were paid, and could potentially even display pornographic content on their screens or cause physical harm in the case of a industrial robot.