Infosec white-coats: Robots are riddled with software security bugs
Soulless contraptions in the home or at work are a risk – not to humanity
Common security flaws in mainstream robotic technologies leave them wide open to attack, infosec researched have warned.
IOActive made the admonition after evaluating the security of multiple home, business, and industrial robots. The array of vulnerabilities identified in the systems evaluated included many graded as high or critical risk, leaving the robots susceptible to cyberattack.
Hackers might be able to abuse the flaws to maliciously spy on owners via the robot’s microphone and camera, leak personal or business data, and in extreme cases, even cause "physical harm or damage to people and property in the vicinity of a hacked robot", according to IOActive.
IOActive’s white coats Cesar Cerrudo and Lucas Apa tested mobile applications, robot operating systems, firmware images, and other software over the last six months in order to identify the flaws in several robots from vendors, including SoftBank Robotics, UBTECH Robotics, ROBOTIS, Universal Robots, Rethink Robotics, and Asratec Corp.
Cerrudo explained why the two researchers had taken up the ongoing study: “Robots will soon be everywhere - from toys to personal assistants to manufacturing workers - the list is endless," he said. "Given this proliferation, focusing on cybersecurity is vital in ensuring these robots are safe and don’t present serious cyber or physical threats to the people and organisations they’re intended to serve.”
IOActive has discovered 50 cybersecurity flaws (many of them common problems) across six of the biggest robotics brands and manufacturers, including:
- SoftBank Robotics: NAO and Pepper robots
- UBTECH Robotics: Alpha 1S and Alpha 2 robots
- ROBOTIS: ROBOTIS OP2 and THORMANG3 robots
- Universal Robots: UR3, UR5, UR10 robots
- Rethink Robotics: Baxter and Sawyer robots
- Asratec Corp: Several robots using the affected technology
The problems identified in the home, business, and industrial robots ranged from insecure communications and authentication issues, to weak cryptography, memory corruption, and privacy problems.
A research paper published on Wednesday, Hacking Robots Before Skynet, outlines security precautions that should be taken by robotic vendors to improve the security of robots, including implementing the Secure Software Development Life Cycle methodology, encryption, security audits, and more.
All vendors included in the paper were alerted to the various specific vulnerabilities identified within their products many weeks ago in the course of responsible disclosure.
Specific technical details of the vulnerabilities identified will be released at the conclusion of the disclosure process when vendors have had adequate time to address the findings, according to IOActive. ®