Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //


06:41 PM
Simon Marshall
Simon Marshall
Simon Marshall

Programmed to Kill: The Risk of Hacked Robots Is Real

When will the news break of the first hacked robot taking a human life? It could be sooner than you think.

It’s only a matter of time before robots could be an aggressive force against humans unless security vulnerabilities in retail and commercial robots are patched. The findings come from a release of data by robotic security expert IOActive, which says that the proliferation of robots multiplied by a growing number of exploits could mean bodily injury, death, the loss of intellectual property and illegal monitoring of members of the public.

Robots operating in isolation is one thing, but so-called "cobots" working in tandem with humans hold the gravest threat. And, this is not scaremongering, it could be happening now. The US Department of Labor keeps track of robotic injuries to the workforce, containing 38 pages of deaths and severe injuries to date -- caused by robotic malfunction, not hacking.

But a growing number of hackers are expected to take advantage of insecure software systems to manipulate robot programming and turn legions of automatons to the dark side. Cesar Cerrudo, CTO at IOActive, said, "When you think of robots as computers with arms, legs or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before."

How does it happen? Click here to see a UBTech Alpha 2 robot hacked to demonstrate how injury can be caused. Click here to see SoftBank’s NAO and Pepper repurposed for espionage.

So where does responsibility lie for injury, loss of IP and privacy, to name a few? Right now, it’s up to the ecosystem chain to define and own the legal liability for their individual piece. This breaks down across connectivity, hardware and software, but ultimately it’s difficult for robot manufacturers to remain watertight in terms of the end device.

It’s best practice, according to Jim Shulkin, vice president of marketing at IOActive, to assume a "Def Con One" stance that any connected device is either under attack or is a target. That seems very cumbersome but it's a testimony to the potential damage that could be caused and how risk averse everyone needs to be.

A weapon against such evolving threats is machine learning, to either predict or learn patterns through training data that keep hackers at bay before the hurt. However, this embryonic area has some immediate challenges before it goes into the wild.

"Programming a machine to learn is one thing, (but) teaching a machine to think like a skilled human attacker -- which is who is ultimately behind a cybersecurity breach -- is a difficult, if not impossible proposition," Shulkin told Security Now. "So, (machine learning) likely will have an evolving place in predictive/proactive security, but won't be a replacement for the human adversarial mindset anytime soon."

Conversely, there are limitations to the human brain. "(Manufacturers and developers) can’t be expected to have the technical expertise to determine the cybersecurity posture of the products," said Shulkin, meaning that vulnerabilities evolve once the robot has securely left the box.

These vulnerabilities will surely multiply as investors power the startup market. The Financial Times estimates that venture capital investments in robotics reached $587 million in 2015, nearly quadrupling to $1.95 billion in 2016. According to Angel List, there are currently 871 startup companies in the sector, attracting funding from 2,459 investors. Overall global spend will increase, according to IDC, to reach $188 billion by 2020.

John Santagate, research manager, supply chain at IDC Manufacturing Insights said, "This growth is really fueled by a combination of technology improvements, expanded use cases and acceptance in the market. Innovators in the field of robotics are delivering robots that can be used to perform a broader range of tasks, which is helping to drive the adoption of robotics into a wider base of industries."

IOActive identified weaknesses in mainstream robot manufacturing companies, including units developed by SoftBank, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics and Asratec Corp. Some of 50 identified cybersecurity exploits fall within the following categories:

  • Insecure communicationsAuthentication issues
  • Missing authorization
  • Weak cryptography
  • Privacy issues
  • Weak default configuration
  • Vulnerable open robot frameworks and libraries

IOActive confirmed that to date, no malfunctions have yet been identified as hacker activity.

Related posts:

Simon Marshall has worked within and around the telecom and IT industries for 21 years. Simon cut his teeth as editor-at-large at totaltelecom.com in the late Nineties, drove strategic communication and product marketing plans for Qualcomm, Neustar and Redknee during the Noughties, and lives today as a technical consultant, active tech news junky and content underwriter at Security Now.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.