Exploitable Vulnerability in Softbank’s NAO and Pepper Robots Leads to Ransomware Infection.
According to the findings of security firm IOActive Labs, there is a vulnerability in Softbank Robotics’ NAO and Pepper robots that can lead to devastating ransomware attacks by causing robots deployed at workplaces to stop working.
The vulnerability is yet to be patched
These robots can also be forced to perform unusual, annoying acts such as cursing the customers or performing violent movements. The identified vulnerability was revealed by IOActive Labs at Kaspersky Labs’ Security Analyst Summit. The firm also stated that it informed Softbank regarding the flaw in January 2017 however, the robot manufacturer is yet to patch the vulnerability.
In a research paper titled “Robots Want Bitcoins Too!” IOActive researchers have demonstrated the way Pepper and NAO robots can be infected with ransomware. The senior security consultant at IOActive, Lucas Apa, said that ransomware attacks have become quite a common attack vector nowadays:
“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back.”
While speaking with Threatpost, Lucas Aps and Cesar Cerrudo from IOActive Labs stated that the vulnerability is like an open gateway for ransomware attacks that can target sensitive in-transit information that is collected and stored by the robot. This information is stored in HD video feed type format while four directional microphones record the audio. The robots also store payment and transaction-related information of businesses.
Both NAO and Pepper robots are quite expensive machines priced around $10,000. These are the two most widely deployed robots that are extensively used for researchers and educational purposes. Nearly 20,000 Pepper robots and 10,000 NAO robots are being used at the moment at over 2,000 organizations across the globe.
Vulnerable robots are used worldwide
Currently, A wide range of industries are benefitting from these robots including education, retail, and industrial sector. If these robots become non-operational then businesses will experience losses almost every second. The white paper from IOActive Labs read:
“It stands to reason, then, that service and/or production disruption is another strategy for attackers. Instead of encrypting data, an attacker could target key robot software components to make the robot non-operational until the ransom is paid.”
Video demonstration
To demonstrate the vulnerability a proof-of-concept has been developed by IOActive Labs that targets NAO robot but the same technique can be applied on Pepper robot. To deploy ransomware an undisclosed function was exploited to allow remote command execution. This function allows remote execution of commands via instantiating a NAOqi object by use of the ALLauncher module and enabling the internal_launch function.
Module files were then infected to modify robot default operations, disable admin features and capturing audio/video and sending it to a command & control server. Once the information is received by the attackers, they can gain elevated privileges, modify root passwords and change SSH settings.
Factory reset mechanism is also disrupted by the attackers so as to ensure that users remain unable to restore the system by uninstalling the ransomware. Afterward, the attacker can infect all behavior files that contain custom code. This code is required to execute the main functions and actions of the robots. Injecting the custom code into behavior file classes, it became possible for researchers to modify the robot’s mannerisms/actions/behaviors. The same technique can be used to completely bork the robot or enable it to use bad language and even ordered to attack humans.
“We decided to conduct a proof-of-concept ransomware attack on the NAO robot, leveraging vulnerabilities we uncovered in our prior research in 2017. What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets,” researchers noted in the white paper.
Once the robots’ functioning gets disrupted, it would take weeks to restore their operational status back to normal. But during the time a robot is non-operational, businesses and factories will be losing a lot of money.
It is now the responsibility of robot vendors to improve the security of these robots. They must work on restoring and updating their mechanisms so as to prevent or at least minimize ransomware threat. “If robot vendors don’t act quickly, ransomware attacks on robots could cripple businesses worldwide,” researchers noted.
Given the evolving nature of human-robot interactions, it is understandable that newer attack vendors will emerge and threats scope will broaden. It’s the need of the day to prepare for such threats by understanding the key elements that are required to infect robots with ransomware. Additionally, it is important to evaluate and understand the motivations and strategies of modern-day attackers and work in collaboration to deal with them.