Some of the most popular robots on the market are ‘dangerously easy’ to hack, experts are warning.
Seattle-based cybersecurity firm IOActive Inc. discovered several consumer and industrial robots can easily be turned into bugging devices or even weapons with just a little hacking, with one even able to cause a skull fracture if taken over by someone with malicious intention.
The machines studied include robots from Softbank Robotics, UBTECH Robotics, Universal Robotics, Asratec Corp, ROBOTIS, and Rethink Robotics.
Scroll down for video
Seattle-based cybersecurity firm IOActive Inc. discovered several consumer and industrial robots can easily be turned into bugging devices or even weapons with just a little hacking
THE DISCOVERED VULNERABILITIES
– Insecure communications
– Authentication issues
– Missing authorization
– Weak cryptography
– Privacy issues
– Weak default configuration
– Vulnerable open source robot frameworks and libraries
Overall, these vulnerabilities lead to a plethora of dangers, including the possibility they could be hijacked and used as secretive listening devices or even weapons.
For example, Universal Robots’s industrial devices are designed to work directly alongside humans, but IOActive was able to remotely disable the robot’s key safety features in a way that could result in someone programming it to injure nearby humans.
The firm said this was especially worrying because of the industrial robot’s size and strength, telling Bloomberg that ‘even running at low speeds, their force is more than sufficient to cause a skull fracture.’
UBTech’s Alpha series home robots could also be hacked to carry out physical attacks, the firm said.
‘In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, and interacting closely with our families in a myriad of ways,’ reads a paper on the research, titled, ‘Hacking Robots Before Skynet.’
‘Similar to other new technologies, we’ve found robot technology to be insecure in a variety of ways, and that insecurity could pose serious threats to the people, animals, and organizations they operate in and around.’
IOActive was able to remotely hack Universal Robot’s industrial machines in a way that could result in someone programming it to injure nearby humans. With its size and strength, ‘even running at low speeds, their force is more than sufficient to cause a skull fracture’
Researchers at the firm applied their own expertise in hacking to determining flaws in current robots being used in the world today.
They applied risk assessment and threat modeling tools to robot ecosystems to support the research efforts, which allowed them to prioritize the critical and high cybersecurity risks for the robots.
The team looked at the physical robots in some cases but not for every robot; however, they say this did not impact the research as they had access to the core components, which provide most of the functionality for the robots.
The report detailing the findings names more than a dozen robots from six companies the researchers determined to be at risk for malicious hacking.
From Japan’s Softbank Robotics, consumer robots NAO and Pepper robots made the list.
HACKABLE ROBOTS REVEALED
UBTECH Robotic’s Alpha 1 (pictured) was among the affected robots
The team found around 50 machines were at risk, including:
– Japan’s Softbank Robotics consumer robots NAO and Pepper
– UBTECH Robotics’ Alpha 1S and Alpha 2 robots
– ROBOTUS’ ROBOTIS OP2 and THORMANG3 robots
– Universal Robots, industrial the UR3, UR5, and UR10
– ‘Several robots using the affected V-Sido technology’ developed by software company Asratec
The Alpha 1S and Alpha 2 robots from UBTECH Robotics – which makes machines for the home and office – did as well.
The home ROBOTIS OP2 and THORMANG3 robots from ROBOTUS were determined to be at risk, as were the Baxter and Sawyer robots from Rethink Robotics.
From Universal Robots, industrial the UR3, UR5, and UR10 robots all made the list.
Asratec (which develops robot control software used by several vendors) didn’t fare well in the investigation at all – the researchers didn’t even name the associated compromised robots and instead listed ‘several robots using the affected V-Sido technology.’
In all, the team found nearly 50 cybersecurity vulnerabilities in the robot ecosystem components, many of which were common problems across the machines.
‘While this may seem like a substantial number, it’s important to note that our testing was not even a deep, extensive security audit,’ the paper reads.
FEATURES VULNERABLE TO ATTACK
– Microphones and camera
– Network connectivity
– External service interaction
– Remote control applications
– Modular extensibility
– Safety features
– Autonomous robots
– Known operating systems
– Network advertisement
– Fact installation/deployment
– Connection ports
It was found that most of the robots tested were using insecure communication, meaning it’s possible hackers could easily intercept communications and steal confidential information, compromise key components of the robot ecosystem, hack the robot and more.
Authentication issues were another problem, with most robots exposing one or more services that can be remotely accessed by computer software, mobile applications, and Internet services.
‘We found key robot services that didn’t require a username and password, allowing anyone to remotely access those services – In some cases, where services used authentication, it was possible to bypass it, allowing access without a correct password,’ the paper reads.
‘This is one of the most critical problems we found, allowing anyone to remotely and easily hack the robots.’
Similarly, missing authorization was another discovered risk.
The researchers found most robots did not require sufficient authorization to protect their functionality, including critical functions such as installation of applications in the robots themselves and updating their operating system software.
This vulnerability would allow hackers to gain complete control over the affected robots.
Hackers can use the vulnerabilities to turn robots into dangerous machines, like the Terminator (pictured)
Weak default configuration was discovered to lead to insecure features and password issues in some of the robots.
Some passwords were found to be difficult or impossible to change, which would make it possible for anyone could abuse the robot’s functionality since default passwords are usually publicly known.
The open source framework of many of the robots was also found to be vulnerable, as was the cryptography – most of the robots were found to not be using encryption or to be using it improperly.
Some robots’ mobile applications were even found to be sending exposed private information – including mobile network information, device information and current GPS location – remote servers without user consent.
Bloomberg reached out to all the named robotics companies and didn’t hear back from UBTech.
Universal Robots spokesman Thomas Stensbol said the company was aware of IOActive’s report.
‘We have a constant focus on our product improvement and industrial hardening for the sake of our customers,’ he told Bloomberg, adding their robots ‘undergo rigorous safety certification.’
‘This includes monitoring any potential vulnerability, not just cybersecurity.’
SoftBank spokesman Vincent Samuel said the company has fixed all of the vulnerabilities the cybersecurity firm discovered, but Apa contested the team hasn’t been able to confirm the flaws have been resolved.
‘We contacted all the vendors in January but sadly there’s little to suggest that the 50-plus vulnerabilities we demonstrated have been fixed,’ Lucas Apa, IOActive senior security consultant, told Bloomberg.
‘Most vendors were not forthcoming when we contacted them in private, so going public was the only option left available to us.’
People are using robots more and more, with factories and businesses in the U.S. added 10 percent more robots in 2016 than in the previous year. Industrial robots like the one from Universal Robots (pictured) are becoming increasingly popular.
The goal of the research was to gain a high-level sense of how insecure today’s robots are so the public and developers are aware of the dangers and can prevent them.
As time goes one, IOActive sees the issue becoming increasingly important.
People are using robots more and more, with factories and businesses in the U.S. added 10 percent more robots in 2016 than in the previous year.
The sector itself is booming as well with investors pouring billions into the mentioned robotics companies – reports forecast worldwide spending on robotics will reach $188 billion in 2020.
SoftBank, for example, recently received $236 million from Alibaba and Foxconn for its robotics division.
UBTECH Robotics raised $120 million in the past two years.
Reports estimate venture capital investments in robotics reached $587 million in 20155 and $1.95 billion in 2016.
‘The evidence of robots going mainstream is as compelling as it is staggering,’ the paper reads.
‘Large investments are being made in robotic technology in both public and private sectors.’