Programmed to Kill: The Risk of Hacked Robots Is Real

It’s only a matter of time before robots could be an aggressive force against humans unless security vulnerabilities in retail and commercial robots are patched. The findings come from a release of data by robotic security expert IOActive, which says that the proliferation of robots multiplied by a growing number of exploits could mean bodily injury, death, the loss of intellectual property and illegal monitoring of members of the public.

Robots operating in isolation is one thing, but so-called "cobots" working in tandem with humans hold the gravest threat. And, this is not scaremongering, it could be happening now. The US Department of Labor keeps track of robotic injuries to the workforce, containing 38 pages of deaths and severe injuries to date -- caused by robotic malfunction, not hacking.

But a growing number of hackers are expected to take advantage of insecure software systems to manipulate robot programming and turn legions of automatons to the dark side. Cesar Cerrudo, CTO at IOActive, said, "When you think of robots as computers with arms, legs or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before."

How does it happen? Click here to see a UBTech Alpha 2 robot hacked to demonstrate how injury can be caused. Click here to see SoftBank’s NAO and Pepper repurposed for espionage.

So where does responsibility lie for injury, loss of IP and privacy, to name a few? Right now, it’s up to the ecosystem chain to define and own the legal liability for their individual piece. This breaks down across connectivity, hardware and software, but ultimately it’s difficult for robot manufacturers to remain watertight in terms of the end device.

It’s best practice, according to Jim Shulkin, vice president of marketing at IOActive, to assume a "Def Con One" stance that any connected device is either under attack or is a target. That seems very cumbersome but it's a testimony to the potential damage that could be caused and how risk averse everyone needs to be.

A weapon against such evolving threats is machine learning, to either predict or learn patterns through training data that keep hackers at bay before the hurt. However, this embryonic area has some immediate challenges before it goes into the wild.

"Programming a machine to learn is one thing, (but) teaching a machine to think like a skilled human attacker -- which is who is ultimately behind a cybersecurity breach -- is a difficult, if not impossible proposition," Shulkin told Security Now. "So, (machine learning) likely will have an evolving place in predictive/proactive security, but won't be a replacement for the human adversarial mindset anytime soon."

Conversely, there are limitations to the human brain. "(Manufacturers and developers) can’t be expected to have the technical expertise to determine the cybersecurity posture of the products," said Shulkin, meaning that vulnerabilities evolve once the robot has securely left the box.

These vulnerabilities will surely multiply as investors power the startup market. The Financial Times estimates that venture capital investments in robotics reached $587 million in 2015, nearly quadrupling to $1.95 billion in 2016. According to Angel List, there are currently 871 startup companies in the sector, attracting funding from 2,459 investors. Overall global spend will increase, according to IDC, to reach $188 billion by 2020.

John Santagate, research manager, supply chain at IDC Manufacturing Insights said, "This growth is really fueled by a combination of technology improvements, expanded use cases and acceptance in the market. Innovators in the field of robotics are delivering robots that can be used to perform a broader range of tasks, which is helping to drive the adoption of robotics into a wider base of industries."

IOActive identified weaknesses in mainstream robot manufacturing companies, including units developed by SoftBank, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp. Some of 50 identified cybersecurity exploits fall within the following categories:

IOActive confirmed that to date, no malfunctions have yet been identified as hacker activity.

Related posts:

— Simon Marshall has worked within and around the telecom and IT industries for 21 years. Simon cut his teeth as editor-at-large at totaltelecom.com in the late Nineties, drove strategic communication and product marketing plans for Qualcomm, Neustar and Redknee during the Noughties, and lives today as a technical consultant, active tech news junky and content underwriter at Security Now.