Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/1/2017
12:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacked Robots Present a New Insider Threat

Robots and their control software are rife with critical and painfully obvious security flaws that make them easily hackable, new research shows.

Popular robotics products contain glaring and serious security vulnerabilities that could easily be exploited to hack and take control of a robot's movements and operations for spying or causing physical damage - and even posing a danger to humans.

Call it the new insider threat:  IOActive researchers Cesar Cerrudo and Lucas Apa have discovered some 50 flaws in popular robots and robot-control software used in businesses, industrial sites, and homes that could allow a hacker to remotely manipulate a robot moving about the office, plant floor, or home, to infiltrate other networks there, spy and steal information, and even wreak physical destruction.

Robots are getting "smarter" and in some cases, with more human-like qualities such as facial recognition features, all of which is helping propel their popularity and usability. IDC estimates that in 2020, worldwide spending on robotics will be at $188 billion. Robots today are mostly in the manufacturing industry, but the consumer and healthcare sectors are up-and-coming in their robotics adoption, according to IDC.

"A robot being inside [an organization] is actually a reality" today, notes IOActive's Apa, pointing to the rise of use in smart robotics technology. "And it's very difficult to distinguish between a robot that's been hacked" and one that's not, he says. 

A hacked robot could silently be used to go rogue and hack other networks within the office, or even other robots, according to the researchers, who say robots indeed could be the next-generation insider threat.

Apa, who is a senior security consultant with IOActive, and Cerrudo, IOActive's CTO, in their new research, studied robots and robotics control software products from Softbank Robotics, UBTECH Robotics, Robotis, Universal Robots, Rethink Robotics, and Asratec Corp. The researchers say they wanted to drill down on the security issues now, before robots become mainstream.

The robots and their control software were rife with some of the same security flaws common in notoriously insecure Internet of Things devices: insecure communications weaknesses such as cleartext or weak encryption between the robot and its components that provide its commands and software updates; a lack of authentication (no credentials required to access a robot's services, for example); and lack of authorization measures, which could leave a robot at the mercy of a nefarious attacker.

In addition, they found weak cryptography in the devices and their software that leave sensitive data and information stored in the robots at risk, such as passwords, crypto keys, and vendor service credentials, for example. Some of the devices also come with weak default configurations that don't properly lock down the robots and their operations, and Cerrudo and Apa found that some of these devices couldn't even be properly retrofitted with new passwords, nor even fixed once they had been hacked.

"It can be hard to restore a robot to its original [uncompromised] state," Apa says. "With some vendors' products we analyzed, it was impossible," so the customer is stuck with a hacked robotic system, he says.

Turns out robots also suffer from some of the same open-source framework and library vulnerabilities of other software systems. Many robots run on the the Robot Operating System (ROS), which comes with cleartext communication, authentication, and weak authorization features, according to IOActive. "In the robotics community, it seems common to share software frameworks, libraries, operating systems, etc., for robot development and programming. This isn’t bad if the software is secure; unfortunately, this isn't the case here," the researchers wrote in their report published today.

Don Bailey, founder and CEO of Lab Mouse Security, says robot vulnerabilities are another example of the flaws found in embedded, IoT devices. "They're all embedded systems. You're going to keep seeing the same threats, over and over," says Bailey, an IoT security expert.

The bigger risk of today's robotics-type devices, he says, is data leaking and privacy breaches. The Amazon Alexa and Apple Siri-style smart devices and others can be used more for espionage, he says. "As they [robots] grow into more substantial technologies, we'll see more [physical] danger to humans," Bailey says.

A serious concern today is the provisioning and sunsetting of robotics products, he says. "How a robot associates itself with its owner" and what happens when that owner hands it over to another owner or user, pose security and privacy risks, he says. It's unclear how a new "owner" could be protected from the previous one still having access to the robot, for example.

IOActive's Apa and Cerrudo aren't releasing vulnerability details at this time, as they await responses from the vendors. So far, they've only heard back from four of them. "Only two said they are going to fix" the flaws, Cerrudo says. The other two indicated they understood they should "do something about it," he says.

They weren't able to actually test all of the robots, due to the expense of some of the devices as well as global shipping restrictions, so they mainly analyzed robot software, including mobile apps, operating systems, and firmware images. Those are core elements of robotic systems, they say, so they could get a good take on the security from them as well as from the physical robots they did have in hand.

Interestingly, the researchers say they easily found the flaws without drilling down too deeply in their security audit of the products, since their aim was to get a more high-level sense of robot security today. They aren't finished, though, and plan to do some deeper dives, they say.

"We consider many of the vulnerabilities we found simple to exploit," Apa says. "Anyone with a phone and app can remotely control the robot [via these bugs]. They don't need to develop an exploit."

Among the products with flaws were SoftBank Robotics' NAO and Pepper robots; UBTECH Robotics' Alpha 1S and Alpha 2 robots; ROBOTIS's OP2 and THORMANG3 robots; Universal Robots' UR3, UR5, and UR10 robots; Rethink Robotics's Baxter and Sawyer robots; and Asratec Corp.'s robots using V-Sido.

In one especially creepy scenario, the researchers say robots with face-recognition features in order to work with humans could be hacked and even manipulate their co-workers. Robots often come with microphones and cameras, so an attacker could employ the robot like a spy to get information, for example. "If an attacker can control this, they can use the built-in features to get information about the faces the robot recognizes," Apa says.

IOActive isn't the first to explore robot security: Researchers at the University of Washington in 2015 hacked a surgical robot to demonstrate how a bad guy could hijack and take control of a robot during surgery.

For now, business and home robotics users are basically at the mercy of their insecure robots, the researchers say. What can they do to protect themselves: "Pray," Cerrudo quips. "If I was a robot user, I would unplug it when I'm away at night," for example, he says.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
productbarodes
50%
50%
productbarodes,
User Rank: Apprentice
2/17/2018 | 3:14:55 PM
Re: UPC codes
Yeah youre right about them. Easiest place to buy upc codes.
Ludivina
50%
50%
Ludivina,
User Rank: Strategist
4/27/2017 | 2:47:43 PM
A.I. website free instagram followers
It does not even have to get infected, what if it get programmed that way? The A.I. sector has many pluses as well as twice the bad stuff that can go wrong.
ameliamartin
50%
50%
ameliamartin,
User Rank: Apprentice
4/19/2017 | 9:54:35 AM
Re: A.I. website free instagram followers
It does not even have to get infected, what if it get programmed that way? The A.I. sector has many pluses as well as twice the bad stuff that can go wrong.
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/17/2017 | 3:09:49 AM
Re: 192.168.0.1
Thanks Kelly. Very useful information, i'll share it with my friends
forskolinfuel
50%
50%
forskolinfuel,
User Rank: Apprentice
4/16/2017 | 5:22:05 AM
Re: A.I. website forskolin reviewsphen375 reviewphenq review
Thanks for the share. Such an informative post!
forskolinfuel
50%
50%
forskolinfuel,
User Rank: Apprentice
4/13/2017 | 1:22:38 PM
Re: A.I. website forskolin reviewsphen375 reviewsphenq reviews
Thanks for the share. Such an informative post!
ameliamartin
50%
50%
ameliamartin,
User Rank: Apprentice
4/5/2017 | 1:43:51 PM
Re: A.I. website TechUnmasked
Thanks for info
ameliamartin
50%
50%
ameliamartin,
User Rank: Apprentice
4/5/2017 | 1:43:25 PM
Re: A.I. website forskolin reviewsphen375 reviewphenq review
Thanks for the share. Such an informative post!
vladdight
50%
50%
vladdight,
User Rank: Apprentice
4/4/2017 | 9:09:45 AM
Re: A.I. website TechUnmasked
Thanks for the share. Such an informative post!
vladdight
100%
0%
vladdight,
User Rank: Apprentice
4/4/2017 | 9:09:04 AM
Re: A.I. website free instagram followers
This issue is crazy....I can't believe more people aren't talking about it!
Page 1 / 3   >   >>
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20394
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20395
PUBLISHED: 2020-01-22
A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.