Researchers Demonstrate Ransomware Attack on Robots

CANCUN – KASPERSKY SECURITY ANALYST SUMMIT – IOActive security researchers today revealed a ransomware attack on robots, demonstrating not only that such assaults are possible, but also their potential financial impact.

Ransomware incidents are usually associated with personal computers, servers, mobiles, healthcare systems, and even industrial systems, but IOActive researchers Cesar Cerrudo and Lucas Apa set out to prove that robots too are prone to such attacks.

According to them, over 50 vulnerabilities discovered last year in robots from several vendors could allow for a broad range of assaults, such as abusing a robot’s cameras and microphones for spying purposes, leaking data, or even causing physical harm.

With robots becoming increasingly popular, cyberattacks targeting them might soon become a common thing, with great financial losses and brand damage to businesses. Not only are robots expensive to purchase, but repairs aren’t usually easy to perform, and a hacking operation could result in a unit being taken offline for weeks, the researchers argue.

Cerrudo and Apa performed their attacks on commercially-available Pepper and NAO robots from SoftBank Robotics, which has already sold over 30,000 units worldwide.

A ransomware attack on a robot is different from that on a computer, mainly because the robot doesn’t usually store data, but only handles it. Regardless, such an attack could result in a business losing access to data, production being shut down, or weeks of interrupted operations until the robot is fixed.

The security researchers created their own ransomware to target the NAO robot model, which runs the same operating system as the Pepper model. The experts showed that by injecting custom code into any of the classes included in behavior files, they could cause the robot to behave maliciously.

An infected robot could be repurposed to display adult content to customers, to insult customers when interacting with them, or even perform violent movements. While unable to target valuable data, an attacker could target the robot’s components, thus interrupting its service until a ransom is paid.

“The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data,” IOActive says.

The injected malicious code could also disable administration features and monitor the robot’s audio and video, directing data from these components to the attacker’s command and control (C&C) server. Changing SSH settings and passwords to prevent remote access to the robot and disabling the factory reset mechanism would also be possible.

“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” Apa said. “What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets.”

During their investigation, the security researchers also discovered that a malfunction in the robot is not as easy to fix, given that technicians aren’t always readily available. Their robot had to be sent back to the vendor for repairs, a process that took three weeks.

“The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money,” Apa said.

The security researcher also argues that, while their ransomware targets SoftBank’s NAO and Pepper robots, any vulnerable robot is susceptible to this type of attack. Thus, vendors should focus on improving not only the security of their robots, but also the restore and update mechanisms in order to minimize the ransomware threat.

In their attack, the researchers exploited a vulnerability that was disclosed to SoftBank in January 2017, but which appears to have not been addressed as of now. An undocumented function allows for the remote execution of commands by “instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function.”

IOActive is presenting a proof-of-concept on Friday at the 2018 Kaspersky Security Analyst Summit (SAS) in Cancun, Mexico. The company has also published a video demonstrating the attack.

Related: Researchers Demo Remote Hacking of Industrial Cobots

Related: Vulnerabilities Found in Double Telepresence Robots

Related: Industrial Robots Vulnerable to Remote Hacker Attacks