Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/3/2017
09:20 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Hack Industrial Robot

New research finds more than 80,000 industrial routers exposed on the public Internet.

It was a miniscule change in parameters – just 2mm – but that tiny deviation delivered to a real robot in a recent hacking experiment could result in a massive product recall or even a major defect in an aircraft design in a real manufacturing scenario.

Researchers at Trend Micro and Italy-based Politecnico di Milano today detailed the proof-of-concept attack they conducted on an ABB Robotics IRB140 industrial robot, exploiting a remote code vulnerability they found in the robot's controller software. They fed the robot a phony configuration file that modified its parameters for drawing a straight line. Instead of a perfectly straight line, the robot drew a slightly skewed one, following the 2mm change in instructions.

"The code was working as expected, but with the wrong configuration," says Mark Nunnikhoven, Trend Micro's vice president of cloud research. "We were getting the robot to change what it thought a straight line was.

"Two millimeters doesn't sound significant, but it made a defect in manufacturing. If that was an airplane … it can be a catastrophic event," he says.

The ABB robot hack was part of a larger study published today by Trend Micro on cybersecurity flaws and vulnerabilities in today's industrial robots, "Rogue Robots: Testing the Limits of an Industrial Robot's Security."

The researchers discovered more than 80,000 industrial routers exposed on the public Internet via their FTP servers and industrial routers in a two-week scan for connected robots from major vendors such as ABB Robotics, FANUC FTP, Kawasaki E Controller, Mitsubishi FTP, and Yaskawa. The scan, using Shodan, ZoomEuye, and Censys search engines, revealed that some of the exposed devices didn't require any authentication to access them.


Industrial robots exposed via their FTP servers as of late March 2017

Source: Trend Micro

Industrial robots exposed via their FTP servers as of late March 2017

Source: Trend Micro

Exposed industrial routers, according to Censys, ZoomEye, and Shodan search results as of late March 2017
 
Source: Trend Micro

Exposed industrial routers, according to Censys, ZoomEye, and Shodan search results as of late March 2017

Source: Trend Micro

Industrial robots are commonplace in the manufacturing operations of aerospace, automotive, packaging and logistics, and pharmaceutical companies and increasingly are showing up in office and home environments. IDC estimates that in 2020, worldwide spending on robotics will be at $188 billion. Meantime, robots and their control software are basically as security-challenged as any other Internet of Things devices, containing critical and painfully obvious security flaws that make them relatively easy to manipulate and hack.

Security vulnerabilities in robots can be exploited to take control of a robot's movements and operations for spying, sabotage, or damaging the manufacturing process on the plant floor. They even could be used in such a way that poses a physical danger to humans that work alongside this systems, according to recent research from IOActive that studied popular robots and robot-control software used in businesses, homes, and industrial plants.

IOActive discovered some 50 flaws in that could allow a hacker to remotely manipulate a robot moving about the office, plant floor, or home, to infiltrate other networks there, spy and steal information, and even wreak physical destruction.  "Compared with IoT, the cybersecurity threat is a lot bigger with robots. They can move around … and could hurt people or damage property" if hacked, says Cesar Cerrudo, CTO at IOActive.

Even before IOActive and Trend Micro and Politecnico di Milano 's work, the academic community was studying robot hacking: In 2015, researchers at the University of Washington hacked a surgical robot to demonstrate how an attacker could hijack and wrest control of a robot during surgery.

Trend Micro's Nunnikhoven says that like many industrial systems, robots are designed with physical safety in mind, but not cybersecurity. Their controls also are increasingly software-based, and many robots now come embedded with routers for remote-access monitoring and maintenance by the vendor. "Lo and behold we found a ridiculous amount of these [devices] connected to the Internet," some purposely and some unbeknownst to their owners, he says. "They were never designed to be connected to the Internet."

Researchers at Trend Micro and Politecnico di Milano pinpointed five classes of attacks that could be waged against industrial robots by exploiting certain combinations of software vulnerabilities. They reported vulnerabilities they discovered to the respective robot vendors, including ABB, which since has updated its robot with security fixes. Trend Micro reverse-engineered ABB's RobotWare control program as well as the RobotStudio software as part of the PoC hack.

"Testing is a critical process to stay ahead of new cyber security threats. ABB has fixed the concerns in the Trend Micro tests, which helps us provide greater security for equipment in the market. The results also emphasize the importance of using a secure network, since the testing used an unsecured network connection," ABB said in a statement provided to Dark Reading.

Performing a robot hack isn't cheap, however: the researchers say a similar configuration used in their hack could be purchased online for tens of thousands of dollars.

According to Nunnikhoven, the flaws Trend found in various vendors' robots included authentication weaknesses and a lack of end-to-end encryption, as well as other common bugs weaknesses found in IoT and ICS/SCADA systems. 

Robot technical information is often available online, firmware images are unprotected, Web interfaces are left exposed, and their software components are rarely patched, according to Trend's findings. The security firm didn't publish specific vulnerabilites in specific products.

They found that an attacker could alter the control system to influence how the robot moves; change the calibration, like in their PoC; manipulate production logic to quietly sabotage the workflow; manipulate the robot's status information so operators don't detect any hacks; and manipulate the robot's status so the attacker gains full control from the legitimate operator.

The manufacturing sector is a juicy target for hackers. According to the new Verizon Data Breach Investigations Report, last year Verizon investigated 115 cyber espionage incidents at manufacturing firms, 108 of which included a data breach. And manufacturing is one of the most frequently hacked industries, according to IBM X-Force Research's 2016 Cyber Security Intelligence Index.

When it comes to robots on the plant floor, the security challenges are similar to that of any other industrial network. The devices are in place for many years and rarely get software updates for design and operational reasons. "These are multi-year investments, similar to SCADA controllers," Nunnikhoven says of industrial robots. He recommends that manufacturing firms conduct network monitoring to watch for nefarious activity, for example.  "That way you can see what's going in and out of the robot."

"And [robot] vendors have to do a lot of work to build more secure systems from day one," he says.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19797
PUBLISHED: 2019-12-15
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.