Hacked robots can be a deadly insider threat

IOActive researchers have probed the security of a number of humanoid home and business robots as well industrial collaborative robots, and have found it seriously wanting.

hacked robots insider threat

A slew of vulnerabilities – authentication/authorization issues and bypasses, insecure transport of data and firmware update mechanisms, undocumented methods, hard-coded passwords, unencrypted storage, easily disabled human safety protections – can be exploited to allow attackers to spy on users, hijack the robots, brick them and, what’s even worse, injure humans around them.

The researchers documented their findings in three separate advisories, pointing out issues in UBTech’s Alpha small-sized humanoid robots, SoftBank Robotics’ Pepper and NAO small and human-sized interactive companion robots, and Universal Robots’ cobots – “mechanical arms” that work with humans without any physical separation.

In the accompanying report, they also included vulnerabilities found in software for ROBOTIS’ humanoid robotic kits, Asratec’s robot control system (V-Sido OS), and Rethink Robotics’ Baxter industrial robot.

“Since robots interact mostly with end-users, physical access is acceptable and expected. Home and business robots typically interact with family members, home visitors, customers or employees, while industrial and collaborative robots interact with company’s workers. Physical attacks are possible when adversaries can access to the robot’s hardware or mechanics to modify it’s behaviour or set up a persistent threat,” the researchers explained.

These robots usually have exposed connectivity ports that allow physically present users to fiddle with them (via special USB devices, Ethernet connections), but unfortunately there are also ways for remote attackers to interfere with the robots’ safety features (collision detection and avoidance mechanisms), which can result in serious injuries.

Some of the robots – e.g. UBTech’s Alpha 1S robot – can be bricked by sending a tampered firmware image via Bluetooth.

Vulnerability disclosure and vendor response

I’ve been told that IOActive researchers first notified the vendors of their findings in January, and that vendor reaction has been mixed: some ignored the notification entirely, while others say they are still working on a fix or claim that sufficient fixes have been made.

IOActive researchers they do not believe these vulnerabilities have been fixed.

In the case of UBTech, for example, IOActive has auto-updates enabled on its devices and has not seen updates that fix the identified vulnerabilities, nor did they (as customers) receive any notification that they should upgrade urgently.

This latest report is a follow up to the “Hacking Robots before Skynet” research IOActive shared in March, with many technical details omitted for the sake of vendor disclosure. This time around the report contains exploit code for some of the flaws, as well as instructions on how to go about exploiting them.