Researchers claim that Pepper was commercialized before it was ready, and that 'the manufacturer extensively neglected any sort of security assessments.'
A group of researchers have found substantial security issues in the SoftBank Pepper robot, including unauthenticated administrative capabilities. The findings were detailed in a paper, published this month, written by Alberto Giaretta of Örebro University in Sweden, along with Michele De Donno and Nicola Dragoni of the Technical University of Denmark.
In the paper, the researchers indicate that SoftBank Robotics "extensively neglected any sort of security assessments before commercializing their product." The most pressing problems center around administrative functions. For starters, the admin webpage is delivered over HTTP. The root password is "root," though root is restricted from looking in via SSH. According to the researchers, "no tool suggests, nor enables, [users] to change the root password," adding that the password is printed in the manual.
The admin web page login credentials work for SSH, enabling hackers to capture the login details and use that in SSH, from which root privileges can be obtained via su, the paper noted. Of note, the admin webpage also lacks a log off function.
The researchers lament this detail in the whitepaper:
We strongly believe that, in 2018, selling products so easily vulnerable to these kinds of attacks is not tolerable anymore. Authenticating over an unencrypted communication channel is one of the worst mistakes a software developer can make, computer scientists are taught to avoid it since their bachelor's program, it is quite saddening to find it implemented in a commercial product sold on the market.
This apparent lack of attempt at security is only dwarfed by the Pepper API lacking any type of authentication system--the robot implicitly trusts any valid API call on port 9559--allowing any remote attacker to spy on end users by commandeering access to the cameras and microphones, as well as interact with users in real time. This prompted the researchers to claim that SoftBank Robotics, "along with many others, invests almost nothing into constructing a secure product since the design phase."
Pepper's software stack also lacks any countermeasures against brute-force attacks, and relies on outdated versions of common open source tools. Pepper is powered by an Intel Atom E3845, which is vulnerable to Meltdown and Spectre attacks.
SEE: IoT in the real world: Five top use cases (Tech Pro Research)
Pepper was launched in 2014, as an emotionally intelligent robot that can identify joy, sadness, anger, or surprise, as well as facial expressions and vocal tones. Owing to these capabilities, Pepper is most commonly deployed as a customer service robot, and is a regular fixture at Marriott Hotels in the United States, Nissan dealerships and Mizuho Bank branches in Japan, as well as SoftBank's own mobile phone stores.
Pepper is the first product unveiled by the newly-titled SoftBank Robotics, after the Japanese firm acquired French company Aldebaran Robotics in 2014. SoftBank subsequently acquired Boston Dynamics in 2017 from Google's parent company Alphabet in an attempt to bolster the company's robotics holdings. Similarly, the company acquired ARM Holdings in 2016 to increase the strength of their IoT portfolio.
The big takeaways for tech leaders:
- SoftBank's Pepper robot, which is often used for customer service, can be trivially compromised by hackers.
- Researchers claim this is due to the manufacturer "[investing] almost nothing into constructing a secure product since the design phase."
SoftBank was contacted for comment on this story, but did not respond by press time.
- IoT security: What you should know, what you can do (free PDF) (TechRepublic)
- QUT to use SoftBank's Pepper for social robotics research (ZDNet)
- IBM Watson: The smart person's guide (TechRepublic)
- Ransomware for robots is the next big security nightmare (ZDNet)
- Robot fired from Scottish grocery store for poor performance (TechRepublic)