REPORT – Robots : Problem – can be hacked or exploit to kill people


Robots are going mainstream. In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, and interacting closely with our families in a myriad of ways.

As electronic devices become smarter and the cost of cutting-edge technology decreases, we increasingly look to machines to help meet human needs, save lives, entertain, teach, and cure.
Enter the robot, an affordable and practical solution for today’s business and personal needs.
Everyone is familiar with robots. In science fiction books and movies, they are often portrayed as mythological mechanical creations that can resemble animals or humans and assist society either by performing helpful tasks, or attempt to destroy it, as in the Terminator films.

Setting science fiction aside, real robots are being built and used worldwide now, and adoption is increasing rapidly.
The evidence of robots going mainstream is as compelling as it is staggering. Large investments are being made in robotic technology in both public and private sectors:

  • Reports forecast worldwide spending on robotics will reach $188 billion in 2020.
  • South Korea is planning to invest $450 million in robotic technology over the next five years.
  • Reports estimate venture capital investments reached $587 million in 2015 and $1.95 billion in 2016.
  • SoftBank recently received $236 million from Alibaba and Foxconn for its robotics division.
  • UBTECH Robotics raised $120 million in the past two years.
  • Factories and businesses in the U.S. added 10% more robots in 2016 than in the previous year.

Robots are already showing up in thousands of homes and businesses.

All signs indicate that in the near future robots will be everywhere, as toys for children, companions for the elderly, customer assistants at stores, and healthcare attendants.

Robots will fill a dizzying array of service roles, as home and business assistants, intimate physical companions, manufacturing workers, security and law enforcement, etc.
As many of these “smart” machines are self-propelled, it is important that they’re secure, well protected, and not easy to hack.

If not, instead of helpful resources they could quickly become dangerous tools capable of wreaking havoc and causing substantive harm to their surroundings and the humans they’re designed to serve.
We’re already experiencing some of the consequences of substantial cybersecurity problems with Internet of Things (IoT) devices that are impacting the Internet, companies and commerce, and individual consumers alike.

Cybersecurity problems in robots could have a much greater impact. When you think of robots as computers with arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new serious threats we have never encountered before.

As human-robot interactions improve and evolve, new attack vectors emerge and threat scenarios expand. Mechanical extremities, peripheral devices, and human trust expand the area where cybersecurity issues could be exploited to cause harm, destroy property, or even kill.
There have already been serious incidents involving robots, including a woman being killed by an industrial robot in 2015 at the Ajin USA plant in Cusseta, Alabama, when an industrial robot restarted abruptly.

A couple of similar incidents occurred the same year at other plants as well.

The US Department of Labor maintains a list of robot-related incidents, including several that have resulted in death.
Notable robot-related incidents could fill an entire report. Here are just a few examples:

  • A robot security guard at the Stanford Shopping Center in Silicon Valley knocked down a toddler; fortunately, the child was not seriously hurt.24
  • A Chinese-made robot had an accident at a Shenzhen tech trade fair, smashing a glass window and injuring someone standing nearby.25
  • In 2007 a robot cannon killed 9 soldiers and seriously injured 14 others during a shooting exercise due to a malfunction.26
  • Robotic surgery has been linked to 144 deaths in the US by a recent study.27

While these incidents were accidents, they clearly demonstrate the serious potential consequences of robot malfunctions.

Similar incidents could be caused by a robot controlled remotely by attackers.

Similar to other new technologies, we’ve found robot technology to be insecure in a variety of ways, and that insecurity could pose serious threats to the people, animals, and organizations they operate in and around.

There are a lot of conspiracy theories about robots taking over our jobs or killing the humanity.

In fact, famous physicist Professor Stephan Hawking agrees with researchers who claim AI robots will leave humanity ‘‘Utterly Defenceless.’’

Now, researchers at IOActive, a cyber security company has revealed that [Pdf] programs which “bring them (robots) to life” carry critical vulnerabilities which can be used by threat actors for negative purposes.

The development of artificial intelligence (AI) robots is on the rise.

Last year, IBM developed Ross – World’s first AI lawyer and plans are to license it for being utilized in domains like bankruptcy, restructuring and creditors’ rights team.

The US government also wants to put robots in the military and weaponize them with artificial intelligence.

That being said, the cyber criminals are also keeping an eye on the situation and exploiting existing vulnerabilities in the infrastructure of robots can turn the table for all the wrong reasons.

IOActive’s researchers tested models from a number of vendors including SoftBank Robotics’s NAO and Pepper robots, UBTECH Robotics’s Alpha 1S and Alpha 2 robots, ROBOTIS’s ROBOTIS OP2 and THORMANG3 robots, Universal Robots’s UR3, UR5, UR10 robots’ Rethink Robotics’s Baxter and Sawyer robots, Asratec Corp’s robots using the affected V-Sido technology.

Among their findings, the researchers discovered authentication issues, insecure communication system, weak cryptography, privacy flaws, weak default configuration, vulnerabilities in open source robot frameworks and libraries.

Damages that can be caused by a hacked robot:

The research further revealed that after exploiting above mentioned vulnerabilities attackers could use a hacked robot to spy on people, homes, offices and even cause physical damage. This makes a perfect scenario for government-backed spying groups to keep an eye on military and strategic places once and if the target country is using robots in its military or sensitive installations.

It a nutshell, the research covers every aspect of life where robots can be used in the future and cause massive damage including homes, military and law enforcement, healthcare, industrial infrastructure, and businesses.

“Compromised robots could even hurt family members and pets with sudden, unexpected movements since hacked robots can bypass safety protections that limit movements,” says the research. “Hacked robots could start fires in a kitchen by tampering with electricity, or potentially poison family members and pets by mixing toxic substances in with food or drinks.

“Family members and pets could be in further peril if a hacked robot were able to grab and manipulate sharp objects,” it adds.

Another dangerous aspect discovered in this research is that thieves and burglars can also hack Internet-connected home robots and direct them to open doors. Even if robots are not integrated, they could still interact with voice assistants, such as Alexa or Siri, which integrate with home automation and alarm systems.

“A hacked, inoperable robot could be a lost investment to its owner, as tools are not yet readily available to ‘clean’ malware from a hacked robot,” it adds. “Once a home robot is hacked, it’s no longer the family’s robot; it’s essentially the attacker’s.”

Vulnerable Open Source Robot Frameworks and Libraries

Many robots use open source frameworks and libraries. One of the most popular is the Robot Operating System (ROS) used in several robots from multiple vendors.

ROS suffers from many known cybersecurity problems, such as cleartext communication, authentication issues, and weak authorization schemes.

All of these issues make robots insecure.

In the robotics community, it seems common to share software frameworks, libraries, operating systems, etc., for robot development and programming.

This isn’t bad if the software is secure; unfortunately, this isn’t the case here.
Not all of the robots we tested are vulnerable to every one of the cybersecurity issues listed. However, each robot we tested had many of the issues.

While we didn’t test every robot available on the market today, the research did lead us to believe that many robots not included in our assessment could have many of these same cybersecurity issues.
We observed a broad problem in the robotics community: researchers and enthusiasts use the same – or very similar – tools, software, and design practices worldwide.

For example, it is common for robots born as research projects to become commercial products with no additional cybersecurity protections; the security posture of the final product remains the same as the research or prototype robot.

This practice results in poor cybersecurity defenses, since research and prototype robots are often designed and built with few or no protections.

This lack of cybersecurity in commercial robots was clearly evident in our research.

 Cyberattacks on Robots Robots

Each robot has different features; the more features, the more advanced and smarter the robot typically is.

But these features can also make robots more vulnerable and attractive to abuse by attackers.
Certain features are trending in recent releases from robot manufacturers.

These common features improve accessibility, usability, interconnection, and reusability, such as real-time remote control with mobile applications.
Unfortunately, many of these features make robots more fragile from a cybersecurity perspective. During our research, we found both critical- and high-risk cybersecurity problems in many of these features. Some of them could be directly abused, and others introduced severe threats.
The following list gives a brief overview of some possible threats and attacks for common robot features:

  • Microphones and cameras: Once a robot has been hacked, microphones and cameras can be used for cyberespionage and surveillance, enabling an attacker to listen to conversations, identify people through face recognition, and even record videos.
  • Network connectivity: Sensitive robot services are vulnerable to attack from home/corporate/industrial networks or the Internet. A hacked robot becomes an inside threat, providing all of its functionality to external attackers.
  • External services interaction: The robot owner’s social networks, application stores, and cloud systems could be exposed by a hacked robot. This means an attacker can gain access to private user information, usernames, passwords, etc.
  • Remote control applications: Mobile applications or microcomputer boards can be used to send malicious commands to robots. Mobile phones could be an entry point for launching attacks against robots; if a user’s phone is hacked, then the robot can be hacked too. Likewise, an attacker could use a hacked robot to launch attacks against the owner’s phone.
  • Modular extensibility: When a robot allows installation of applications, it can also allow installation of custom malware. Malicious software could cause the robot to execute unwanted actions when interacting with people. Ransomware could take robots hostage, making them unusable and allowing hackers to extort money to make them usable again.
  • Safety features: Human safety protections and collision avoidance/detection mechanisms can be disabled by hacking the robot’s control services.
  • Main software (firmware): When a robot’s firmware integrity is not verified, it is possible to replace the robot’s core software and change its behavior in a malicious way by installing malware, ransomware, etc.
  • Autonomous robots: A hacked autonomous robot can move around as long as its battery continues to provide power. This allows hackers to control an “insider threat” and steal information or cause harm to nearby objects or people.
  • Known operating systems: Since many robots use the same operating systems as computers, many of the same attacks and vulnerabilities in those operating systems apply to the robots as well.
  • Network advertisement: It is common for robots to advertise their presence on a network using known discovery protocols. Attackers can leverage this to identify a robot in a corporate/industrial network with thousands of computers, and possibly interact with its network services.
  • Fast installation/deployment: Since many vendors do not highlight the importance of changing the administrator’s password in their documentation, a user may not change it during fast deployment. This means that any services protected by this password can be hacked easily.
  • Backups: Configuration files and other information may be backed up on the robot vendor’s cloud or the administrator’s computer. An unencrypted backup could result in a compromised robot and a leak of sensitive data if obtained by an attacker.
  • Connection ports everywhere: Physical connectivity ports lacking restriction or protection, could allow anyone to connect external devices to the robots.

Previous cases of damages done by robots:

Last year, a 5-foot-tall and 300-pound Knightscope security robot at the Stanford Shopping Center, California knocked down a 16-month-old boy and ran him over.

Last year again, a humanoid-looking robot in Russia fled after figuring out that the engineers forgot to shut the gates and blocked the traffic.

In 2015, a technician at the Germany-based Volkswagen production plant was killed by a robot however in that case investigators blamed human error rather than a robot behind the killing of the technician.

At the time of publishing this article, researchers at IOActive had only released limited information about the vulnerabilities since it will take a while for manufacturers to fix the problems highlighted by researchers.

Source: IOActive [Pdf]

 Improving Robot Cybersecurity

Building secure robots is not a simple task, but following some basic recommendations, including provided examples below, can exponentially improve their cybersecurity.

  • Security from Day One: Vendors must implement Secure Software Development Life Cycle (SSDLC) processes.
  • Encryption: Vendors must properly encrypt robot communications and software updates.
  • Authentication and Authorization: Vendors must make sure that only authorized users have access to robot services and functionality.
  • Factory Restore: Vendors must provide methods for restoring a robot to its factory default state.
  • Secure by Default: Vendors must ensure that a robot’s default configuration is secure.
  • Secure the Supply Chain: Vendors should make sure that all of their technology providers implement cybersecurity best practices.
  • Education: Vendors must invest in cybersecurity education for everyone in their organization, with training not only for engineers and developers, but also for executives and all others involved in product decisions.
  • Vulnerability Disclosure: Vendors should have a clear communication channel for reporting cybersecurity issues and clearly identify an individual or team to be responsible for handling reports appropriately.
  • Security Audits: Vendors should ensure a complete security assessment is performed on all of the robot’s ecosystem components prior to going into production.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.