In my recent TechRepublic column Robot crime raises thorny legal issues that need addressing now, I wrote that Christopher Markou, a Ph.D. candidate and Faculty of Law at the University of Cambridge, warns that current laws are woefully inadequate to handle crimes committed by robots.
If current laws are inadequate, then the bad guys are going to have a field day according to Trend Micro’s new report Rogue Robots: Testing the Limits of an Industrial Robot’s Security (PDF), a collaboration between Politecnico di Milano (POLIMI) and Trend Micro’s Forward-Looking Threat Research (FTR) Team.
“Unfortunately, the Industry 4.0 revolution is just bringing industrial robots closer to the forefront,” state the authors in the report’s introduction. “As improvements in the way industrial robots work and communicate increase their complexity and interconnectedness, the industrial robots sector unlocks a broader attack surface.”
With the impending proliferation of robotic assemblies–the International Federation of Robotics forecasts close to 1.3 million industrial robot units will be employed in factories globally by 2018–the practice of assigning public-facing IP addresses to robot controllers has members of Trend Micro’s FTR Team concerned. Using public IP addresses makes it much easier for cybercriminals and “just because I can” hackers to pwn and have their way with a robotic device.
SEE: Quick glossary: Robotics (Tech Pro Research)
What an Industry 4.0 robotic system looks like
Let’s start by defining an Industry 4.0 robot ecosystem ( Figure A): “Industry 4.0 is the current trend of automation and data exchange in manufacturing technologies,” according to this Wikipedia entry. “It includes cyber-physical systems (systems controlled and/or monitored by computer-based algorithms, and are tightly integrated with the internet and its users), the Internet of Things, and cloud computing.”
The report describes what the researchers consider to be an industrial robot assembly ( Figure B).
A typical industrial robot assembly consists of the following components.
- Robot: An automatically controlled, multipurpose manipulator that is programmable in three or more axes, and can be either fixed in place or mobile.
- Controller: The robot’s computer brain composed of multiple, interconnected subsystems designed for efficiency, complex motion description, nonlinear control, and logical interaction with human operators.
- Control System: A framework overseeing the activities of the robot, making it one of the most safety- and security-critical components. The control system is split into different modules and hierarchies, allowing it to measure the state of the system and translate high-level tasks into specific actions.
- Human-Robot Interface: A wired or wireless handheld unit (teach pendant) used by programmers and operators to program and monitor the status of the robot.
- Robot Programming: Online- or offline-written programs using a domain-specific programming environment and stored in the controller’s global memory.
SEE: Hiring kit: Robotics engineer (Tech Pro Research)
Attack model that mimics an Industry 4.0 situation
To insure uniformity of testing, the team of researchers formulated an attack model–one mimicking a real-world Industry 4.0 situation. That required defining what could and what could not be used to compromise the robotic device. The group came up with the following parameters.
Access Level: The report’s authors mention that breaking or tampering with the physical security of the robot controller’s case is not an option. The attack has to be initiated using one of two methods (Figure C).
- Network attack: Use the internet, a factory local area network, or remote service facilities that may be vulnerable.
- Physical attack: Access the robot’s computer interface by plugging a tool into an available port on the robot’s controller.
Technical Capabilities: The researchers assume that attackers are familiar with the targeted industrial robot and possess the technical skills to perform reverse engineering without exploiting any insider technical knowledge.
Access to software: The researchers state that access to the executable binaries and firmware of the robot’s controller–allowing attackers to reverse engineer the software and discover vulnerabilities–are typically available for download from the manufacturer’s website, thus fair game for the research team.
Attacker’s Budget: Interestingly, used or reconditioned industrial robot parts are for sale without restrictions and are affordable. Those wanting to attack a specific model of industrial robot know this and use the parts to gain access or knowledge, so once again fair game for the researchers.
Industrial robots are standardized
The researchers selected an industrial robot that would be the focus of their testing–the brand and model is less important than one might expect. “Due to the architectural commonalities of most modern industrial robots and the existence of standards, the robot chosen for our case study is representative of a large class of industrial robots,” note the authors of the Trend Micro report.
Hackers’ motives for attacking robots
The researchers mention that the reasons for attacking industrial robots are numerous, and listed several of the most likely motives.
- Production outcome alteration or sabotage: By exploiting robot control, attackers are able to inject faults and micro-defects into parts or assemblies being produced.
- Ransomware attacks on altered products: It is possible for an attacker to introduce micro-defects into the production chain, keep track of which products are affected, and contact the manufacturer asking for ransom to reveal which lots were affected.
- Physical damage: An attacker with control of a robot can damage its parts or cause injuries to people who work near the robot by disabling or substantially altering safety devices.
- Sensitive data exfiltration: The robot’s controller is a computer attached to a factory network. To prevent data from being stolen, the controller must be protected like any other network node.
Attack vectors and test results
Now for the fun part: The researchers, using their tools and expertise, went after the test robotic assembly. They write, “We explored concrete attack vectors that when exploited, allowed us to subvert the interaction between a robot and its physical environment, violating its basic operational requirements.”
“We found five classes of attacks based on the observation that a robot working under normal circumstances should be able, at least, to read accurately from sensors, execute its control logic, perform precise movements, and not harm humans,” continues the report. “Instead, our attacks show that none of these properties are assured.”
In other words, the researchers were able to subvert the test robot using one or more of the attacks listed in the graph in Figure D.
As to why the above attacks worked, the authors suggests that the robotic assembly:
- contains outdated software;
- relies on a vulnerable operating system and cryptographic libraries; and
- uses a weak authentication system with default, unchangeable credentials.
What is the solution?
The researchers feel the answer to a more secure robotic ecosystem is not to improve the embedded software nor faster patching of vulnerabilities, but a holistic approach based on the following suggestions.
- The improvement of robotic safety standards, as current ones such as e-stop features and speed restrictions may not take into account being compromised digitally.
- The problem of designing in security without sacrificing functionality is very much in play, and needs to be addressed.
- Security mechanisms are needed to ensure that operators can override unwanted behavior by the robot in a safe manner.
- Effective and readily applicable attack-detection methodology is needed to ensure threat mitigation.
The researchers conclude the report by suggesting that security extends beyond those who operate industrial robots to all players involved in producing and marketing the devices. And the overall objective and practical conclusion should be to make it more expensive than it’s worth to exploit industrial robotic assemblies.