From IoT to IIoT everything seems vulnerable.
A Seattle based cyber security firm IOActive has been researching upon robot related vulnerabilities of late, and a few months back they published a report providing a detailed description of this issue. They have been analyzing robots used in industries and businesses, and their subjects happen to be the creations of top vendors UBTECH Robotics, SoftBank Robotics, ROBOTIS, Asratec Corp., Universal Robots and Rethink Robots.
They checked mobile apps, firmware and software for flaws and discovered about 50 vulnerabilities. These included flaws related to different features of the robots such as authentication, communication, cryptography, open source components, authorization mechanisms, privacy and default configurations.
IOActive CTO Cesar Cerrudo and the company’s Senior Security Consultant Lucas Apa had warned previously that the security holes might very well be exploited and attackers can force the robots to spy and steal sensitive private data. Furthermore, the exploitation can cause malfunctioning of the cobot leading to physical damages to the operators.
Now IOActive’s researchers have revealed that a remote attacker can easily hijack a cobot. Cobots are industrial collaborative robots that share workspace with humans, who operate these robots. Cobots help in performing a variety of tasks and are quite advanced as they can see via built-in cameras, hear through microphones, learn new movements and execute repetitive tasks.
However, once hijacked, the attacker can alter the settings of cobot leading to physical damage caused to nearby human operators. “Imagine what could happen if an attack targeted an array of 64 cobots as is found in a Chinese industrial corporation,” said IOActive researchers.
‘In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, and interacting closely with our families in a myriad of ways,’ revealed the research paper published by IOActive titled ‘Hacking Robots Before Skynet.’
‘Similar to other new technologies, we’ve found robot technology to be insecure in a variety of ways, and that insecurity could pose serious threats to the people, animals, and organizations they operate in and around,’ revealed the research.
The focus of the latest research from IOActive was on most recent industrial models such as Baxter/Sawyer cobots from Rethink Robotics and Universal Robots’ UR. A video providing details of their findings has also been uploaded by the IOActive team, which can be viewed below:
In the video, Apa and Cerrudo demonstrated the way an attacker can chain six different vulnerabilities remotely for altering the safety settings or a UR robot. An attacker could disable emergency functions, and this would put human lives in danger.
The Alpha 2 robot featured in the video (built by the Chinese firm UBTech Robotics) is seen attacking a tomato with a screwdriver. You would say that Alpha 2 is a home robot and isn’t a very harmful machine, so the damage caused won’t be much if nearby humans move a few foot away from it.
However, IOActive states that it is only a matter of time when these home robots would also become an object of concern as far as security is concerned. The team also showed how bigger industrial robots such as the arms of the Alpha Robots, Pepper and SoftBank’s Nao, which have been made by Universal Robotics, could be compromised and their security protocol can be overridden.
The team has provided details of every exploited flaw, and the video shows how the attacker can disable safety features of the cobot by compelling the robot’s arm to malfunction. This proves that bigger industrial robots aren’t immune to attacks at all. However, IOActive researchers claim that to pull off the compromising feat of these robots, attackers must have access to the robot’s network, and they need to temper with it physically. In case they do manage to control the bots, the consequences would be disastrous.
IOActive contacted some robot manufacturer firms regarding the new findings and steps have been taken to fix the flaws. Rethink Robots fixed the vulnerability back in February, but UR hasn’t yet resolved the issues found in its robots.
It is worth noting that IOActive isn’t the first or only security firm that has researched upon industrial robots but Trend Micro researchers and the Polytechnic University of Milan have also published their research findings regarding the cybersecurity aspect of such robots. It is indeed worrisome that with just a little hacking tricks the attackers can cause skull fracture along with converting the robots into spies and malicious threat actors.
According to IOActive, what’s most troubling is that the size and strength of these robots are considerably high and when working with human operators they can cause “skull fracture” even if “running at low speeds” due to the enormous force they can exert.