Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Demonstrate Ransomware Attack on Robots

CANCUN – KASPERSKY SECURITY ANALYST SUMMIT – IOActive security researchers today revealed a ransomware attack on robots, demonstrating not only that such assaults are possible, but also their potential financial impact.

CANCUN – KASPERSKY SECURITY ANALYST SUMMIT – IOActive security researchers today revealed a ransomware attack on robots, demonstrating not only that such assaults are possible, but also their potential financial impact.

Ransomware incidents are usually associated with personal computers, servers, mobiles, healthcare systems, and even industrial systems, but IOActive researchers Cesar Cerrudo and Lucas Apa set out to prove that robots too are prone to such attacks.

According to them, over 50 vulnerabilities discovered last year in robots from several vendors could allow for a broad range of assaults, such as abusing a robot’s cameras and microphones for spying purposes, leaking data, or even causing physical harm.

With robots becoming increasingly popular, cyberattacks targeting them might soon become a common thing, with great financial losses and brand damage to businesses. Not only are robots expensive to purchase, but repairs aren’t usually easy to perform, and a hacking operation could result in a unit being taken offline for weeks, the researchers argue.

Cerrudo and Apa performed their attacks on commercially-available Pepper and NAO robots from SoftBank Robotics, which has already sold over 30,000 units worldwide.

A ransomware attack on a robot is different from that on a computer, mainly because the robot doesn’t usually store data, but only handles it. Regardless, such an attack could result in a business losing access to data, production being shut down, or weeks of interrupted operations until the robot is fixed.

The security researchers created their own ransomware to target the NAO robot model, which runs the same operating system as the Pepper model. The experts showed that by injecting custom code into any of the classes included in behavior files, they could cause the robot to behave maliciously.

An infected robot could be repurposed to display adult content to customers, to insult customers when interacting with them, or even perform violent movements. While unable to target valuable data, an attacker could target the robot’s components, thus interrupting its service until a ransom is paid.

“The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data,” IOActive says.

The injected malicious code could also disable administration features and monitor the robot’s audio and video, directing data from these components to the attacker’s command and control (C&C) server. Changing SSH settings and passwords to prevent remote access to the robot and disabling the factory reset mechanism would also be possible.

“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” Apa said. “What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets.”

During their investigation, the security researchers also discovered that a malfunction in the robot is not as easy to fix, given that technicians aren’t always readily available. Their robot had to be sent back to the vendor for repairs, a process that took three weeks.

“The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money,” Apa said.

The security researcher also argues that, while their ransomware targets SoftBank’s NAO and Pepper robots, any vulnerable robot is susceptible to this type of attack. Thus, vendors should focus on improving not only the security of their robots, but also the restore and update mechanisms in order to minimize the ransomware threat.

In their attack, the researchers exploited a vulnerability that was disclosed to SoftBank in January 2017, but which appears to have not been addressed as of now. An undocumented function allows for the remote execution of commands by “instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function.”

IOActive is presenting a proof-of-concept on Friday at the 2018 Kaspersky Security Analyst Summit (SAS) in Cancun, Mexico. The company has also published a video demonstrating the attack.

Related: Researchers Demo Remote Hacking of Industrial Cobots

Related: Vulnerabilities Found in Double Telepresence Robots

Related: Industrial Robots Vulnerable to Remote Hacker Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.