Robotic devices flooding the IoT market are insecure, according to IOActive researchers. Authentication and privacy issues are some of the cybersecurity risks the researchers found.
Due to robotics' interactions with humans, one might expect all possible care would be taken to ensure the devices are digitally secure; however, that appears not to be the case.
In the introduction to their paper Hacking Robots Before Skynet (PDF), authors Cesar Cerrudo, CTO at IOActive, and Lucas Apa, Senior Security Consultant at IOActive, write, "Similar to other new technologies, we've found robot technology to be insecure in a variety of ways, and that insecurity could pose serious threats to the people, animals, and organizations they operate in and around."
SEE: Hiring kit: Robotics engineer (Tech Pro Research)
Why is this a concern now?
Add the explosive growth of robotic devices to the potential for serious harm, and one begins to understand why Cerrudo and Apa are concerned. With regard to the rapid proliferation of robotic devices, the researchers offer the following statistics:
- Forecasts have global spending on robotics approaching $188 billion USD by 2020.
- Reports estimate venture capital investments reached $587 million USD in 2015 and $1.9 billion USD in 2016.
- Factories and businesses in the US alone added 10% more robotic devices in 2016 than in 2015.
SEE: Robots in warehouses to jump 15X over next 4 years, but won't take all the jobs (TechRepublic)
How the vulnerabilities were discovered, and what the hacking experts found
As to how Cerrudo and Apa determined whether robotic devices are insecure, they employed IOActive's hacking experts to build cyberattack tools geared for robot ecosystems. "A robot ecosystem is comprised of the physical robot, an operating system, firmware, software, mobile/remote control applications, vendor Internet services, cloud services, and networks," write the two authors. "The full ecosystem presents a huge attack surface with numerous options for cyberattacks."
While testing robotic devices from various vendors, the researchers found 50 cybersecurity vulnerabilities. They state: "While this may seem like a substantial number, it is important to note our testing was not a deep, extensive security audit.... The goal of our work was to gain a high-level sense of how insecure today's robots are."
The following are some of the cybersecurity problems the two researchers found.
Insecure communications: Currently, Bluetooth and Wi-Fi connect most robotic devices to the internet—that, in of itself, is not an issue. The concern, explain Cerrudo and Apa, is sending traffic as cleartext over wireless. The researchers also found that if traffic was encrypted, more than likely it was weak or improperly used. Either way, cleartext or poorly encrypted text allow bad guys to obtain information they need to carry out their attacks.
Authentication issues: According to Cerrudo and Apa, only valid users should have access to robotic devices, be able to send commands, and program robots. In reality, that ideal is not always met. "We found key robot services that did not require a username and password, allowing anyone remote access to those services," add the two authors. "In some cases, where services used authentication, it was possible to bypass it allowing access without a correct password."
Missing authorization: Only authorized users or resources, after authenticating, should have access to a robotic device's functionality. "We found most robots do not require sufficient authorization to protect their functionality, including critical functions such as installation of applications in the robots themselves," write Cerrudo and Apa. "This enables an attacker to install software in these robots without permission and gain full control over them."
Privacy issues: Cerrudo and Apa write that, in some instances, a robot's mobile applications are sending private information to remote servers without user consent, including mobile network information, device information, and current GPS location. This information could then be used for surveillance and tracking purposes without the user's knowledge.
Weak default configuration: The original configuration of many robotic devices, according to the researchers, has insecure features that cannot easily be disabled or protected; as well as features with default passwords that are either difficult to change or cannot be changed at all.
The researchers' conclusion
To begin, Cerrudo and Apa state that not all of the robots tested were vulnerable to every one of the cybersecurity issues they found, though each robot tested had vulnerabilities. "It is common for robots born as research projects to become commercial products with no additional cybersecurity protections," reason Cerrudo and Apa. "The security posture of the final product remains the same as the research or prototype robot. This practice results in poor cybersecurity defenses since research and prototype robots are often designed and built with little or no protection."
The two researchers conclude their paper with a sobering thought: "If robot ecosystems continue to be vulnerable to hacking, robots could soon end up hurting instead of helping us, and potentially taking the 'fiction' out of science fiction."
Note: Before publishing this white paper, Cerrudo and Apa began helping affected vendors address vulnerabilities impacting their robotic devices.
- Robot security: Making sure machines don't become the latest big threat (ZDNet)
- Hacking robots: Why it could be a lot easier than it should be (ZDNet)
- Robot kills worker on assembly line, raising concerns about human-robot collaboration (TechRepublic)
- AI gone wrong: Cybersecurity director warns of 'malevolent AI' (TechRepublic)
- IoT security: What you should know, what you can do (free PDF) (TechRepublic)
- CES 2017: Robots of the future, in photos (TechRepublic)
- Quick glossary: Robotics (Tech Pro Research)