The software and firmware that bring robots to life are affected by potentially serious vulnerabilities that can allow hackers to remotely take control of the machines, according to an analysis conducted by security firm IOActive.
Robots are increasingly common in homes, businesses, industrial environments, the military and law enforcement, and healthcare organizations. International Data Corporation (IDC) estimated in January that worldwide spending on robotics and related services will reach $188 billion in 2020.
There have been many cases in the past years where people were injured or killed in accidents involving robots, but experts warn that robots could pose a serious threat if they are vulnerable to remote hacker attacks.
IOActive researchers have analyzed home, industrial and business robots from six different vendors: SoftBank Robotics (NAO and Pepper robots), UBTECH Robotics (Alpha 1S and Alpha 2), ROBOTIS (ROBOTIS OP2 and THORMANG3), Universal Robots (UR3, UR5 and UR10), Rethink Robotics (Baxter and Sawyer), and Asratec Corp (V-Sido robot control system).
The researchers have not acquired the actual robots and instead conducted tests on their mobile applications, software and firmware.
IOActive said it identified nearly 50 vulnerabilities in the tested components, but the security firm noted that it did not conduct an in-depth analysis, which suggests that the actual number of weaknesses is likely much higher.
The company has only published a paper providing a non-technical description of the vulnerabilities. Technical details will be made available after vendors have had a chance to address the flaws.
IOActive told SecurityWeek that it has notified all affected vendors, but only four of them have responded so far: SoftBank Robotics, UBTECH Robotics, Universal Robots and Rethink Robotics.
“Just one, SoftBank Robotics, said they were going to fix the issues but without any further details on when and how they are going to do it and what issues they were going to fix,” said Cesar Cerrudo, IOActive’s CTO and one of the paper’s authors. “Then Universal Robots said that our findings were interesting and that they should do something about it without giving any details. The rest haven’t mentioned if they are going to fix the issues or not.”
Robot vulnerabilities and impact
According to IOActive, the robots it has analyzed are affected by various types of vulnerabilities, including problems related to communications, authentication, authorization mechanisms, cryptography, privacy, default configurations, and open source components.
The flaws allow attackers to intercept communications between the robot and the application controlling it, remotely access critical services without a username and password, install malicious software, and extract sensitive information that is not encrypted properly.
Researchers said the vulnerabilities they identified can be exploited for spying via the robot’s camera and microphone, steal personal or business data, and even take control of the machine and cause physical damage or harm.
“Vendors need to start focusing more on security when speeding the latest innovative robot technologies to market or the issue of malfunctioning robots will certainly be exasperated when malicious actors begin exploiting common security vulnerabilities to add intent to malfunction,” Cerrudo said.