Vulnerabilities / Threats

09:00 AM
Connect Directly

What Happens When You Hold Robots for Ransom?

Researchers explore why an attacker would target robots with ransomware, and the implications of what might happen if they did.

Robots are in our homes, businesses, schools, and industrial facilities. They're builders and service workers, healthcare attendants and customer assistants. As robots continue to proliferate in our lives and human-robot interactions grow, so does the potential for cyberattacks.

The rise of robots is driving new attack vectors and threat scenarios — for example, a robot-targeted ransomware attack. IOActive experts this week conducted the first-ever ransomware attack on robots at the 2018 Kaspersky Security Analyst Summit, following extensive research on the key elements needed for an attack like this and the implications that would result if hackers were successful.

Lucas Apa, an IOActive senior security consultant, and IOActive Labs CTO Cesar Cerrudo have long explored robot security. Last year, the two disclosed about 50 flaws in popular robots and robot-control software used in businesses, homes, and industrial sites. Attackers could abuse these to remotely control a robot, infiltrate networks, steal data, and cause physical harm.

Their latest research explores post-exploitation techniques that ransomware attacks could use to disrupt businesses and force payment. "We decided to expand over our previous research, mainly because we realized ransomware could be used to get an actual profit," Apa explains.

Traditional endpoints commonly store information, which is why data has always been the primary target in ransomware campaigns. Robots are different; they handle different types of data but aren't typically used to store it. Payment data, video feeds, and audio are all examples of sensitive information that robots process but don't store internally.

Apa and Cerrudo were curious whether this data could be targeted with ransomware. The team built a proof-of-concept (PoC) ransomware to stage an attack on Softbank's NAO, a research and education robot with 10,000 in use worldwide. Their PoC attack also works on Pepper, which has nearly the same operating system and vulnerabilities as the NAO robot. The researchers note this attack is possible "on almost any robot" in a blog post detailing their findings.

Someone could deploy ransomware by exploiting an undocumented function that allows remote command execution. The flaw was reported to Softbank and is being disclosed today. As of this writing, there is no fix available. From there, an attacker could infect module files to change the robot's default operations, disable admin features, monitor video and audio, and send data to a command-and-control server.

This infection could spread among robots connected to the same internal network, even if they're not on the Internet, says Cerrudo. If a robot is running the same operating system as a desktop machine, there is potential for an infection to spread from one to the other.

"An attacker can execute commands and modify certain behaviors of the robot," he explains. "If this is done on a high scale on company robots, which could be in the hundreds … this could affect an entire group of robots."

The Potential for Damage
The implications of robot ransomware are broad and dangerous. An attacker could completely interrupt service by shutting robots down, display offensive content on the robot's screen, or perform violent movements and even cause harm to workers. Instead of targeting data, attackers could target software to make the robot non-operational until the victim pays up.

There are several reasons businesses might pay the ransom in these cases. For starters, robots are expensive. Even the most basic enterprise robots cost about $10,000, Apa notes. Most businesses would rather pay attackers than deal with the hassle of fixing a dead robot.

"It creates a huge problem," says Cerrudo. "Once a robot has been compromised with ransomware, you have to send it away to fix it or employ a special technician to fix the problem. It could take a few days or many weeks."

And for robots used in the enterprise, time is money. Every second the robot is not working causes financial loss, whether it's from lost revenue, production costs, or repair costs.

Both Apa and Cerrudo anticipate the risk of robot ransomware will grow as businesses become increasingly dependent on them to build products and offer services. Attackers can exploit them to do more than steal data, driving the consequences of ransomware.

While the ultimate fix is for vendors to build more-secure robots, the researchers urge businesses to take precautions when deploying these machines in the enterprise. "Make sure the robot has security protections, authentication, and encryption, and it's not an easy target," says Apa. "Research has shown most commercially available robots are insecure."

Related Content:


Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/14/2018 | 12:36:44 AM
Re: About the Security Of the Anyones System Who Used Windows Or Any Other Operating System Like Linux, Unix.....
Here is a great article for those of you who might have had slightly unrealistic expectations from this. If you have any particular issues related to the printer offline windows 10  you can firmly go through the and It will be really helpful. Hope for you too.
User Rank: Apprentice
3/13/2018 | 7:29:10 PM
About the Security Of the Anyones System Who Used Windows Or Any Other Operating System Like Linux, Unix.....
There are so many users who used The Robot or Trojan to hack The someone information or the identification information for misused and they give an extra headache to protect your system, You have to use The antivirus there are so many software in the market but here the  Avira Customer Support always Provide The good solution and Trusted user satisfaction. 


Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.