Surgery-bot can be hacked to HACK YOU TO PIECES

Not even life-or-death situations make people care about security

Surgical robot makers are just as good at security as the rest of the world - ie, hopeless - according to University of Washington infosec boffins.

The researchers targeted a product of their own university's research, a telesurgery unit called the Raven II, and among other things found an exploitable safety mechanism in the device.

Since the robot is designed to be remotely controlled over the Internet, it needs a failsafe in case a surgeon commands a dangerous movement – moving the arm too fast, or into an unsafe position. If that happens, the system gets halted in what's called a “software E-stop”.

All that's needed, however, is for an an attacker to send a single packet giving a dangerous instruction and the E-stop will be invoked; and if the attacker hoses the robot with lots of malicious packets, they can “stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible”.

Raven II surgical robot

Raven II: telesurgery for hackers. Image: University of Washington

Their paper, at Arxiv, shows off a bunch of other amusing vulnerabilities. The robot can be hijacked by fooling around with TCP/IP sequence numbering; this makes the device think there have been lost packets between surgeon and robot, and it establishes a new session with the attacker.

A man-in-the-middle attacker can also change the contents of surgeon's packets, giving the robot new instructions (a “surgeon's intent modification” attack).

Getting the network to drop lots of the surgeon's instruction packets makes the robot's motion “delayed and jerky”, the researchers write, and a similar impact also comes from intercepting the surgeon's instructions and forwarding the packets in the wrong order.

Unsurprisingly, the simplest way to defeat these attacks is to sling all traffic between surgeon and robot over an encrypted tunnel – a VPN, if idiot legislators politicians don't ban such things – so that an attacker can't fool around with the traffic.

However, putting robots in charge of life-and-death applications isn't somewhere that security after-the-fact is a great idea. ®

Similar topics

Other stories you might like

  • AI with an improvisational streak is under development
    Robots need to learn to adapt to chaotic humans, says German researcher

    A German doctoral student's research is moving us ever closer to an AI skill that, as of yet, has been unrealized: improvisation.

    According to Sweden's Chalmers University of Technology, robots don't work the same way. They need exact instructions, and imprecision can disrupt a whole workflow. That's where Maximilian Diehl comes in with his research project that aims to develop a new way of training AIs that leaves room to operate in changeable environments.

    In particular, Diehl is concerned with building AIs that can work alongside people and adapt to the unpredictable nature of human behavior. "Robots that work in human environments need to be adaptable to the fact that humans are unique, and that we might all solve the same task in a different way," Diehl said.

    Continue reading
  • China rolls out bots to enforce ‘temporary closed-off management’ of Shanghai
    Drones, delivery-bots and robo-sprayers at work in locked-down megacity

    State-controlled media in China is proudly reporting the use of robots to facilitate the “temporary closed-off management” of Shanghai, which has experienced a new surge of COVID.

    The city of 26 million plus residents has been locked down as cases reportedly surge past the 13,000 mark each day, a new high for the city and a level of infection that China will not tolerate under its zero COVID policy. City authorities have quickly created 47,000 temporary hospital beds and increased capacity to four million tests each day. All residents have been required to take a test.

    Robots are helping to enforce the lockdown. Police have employed “drones equipped with a broadcasting system to patrol key areas.” The craft “publicize latest news and anti-pandemic prevention and control measures to the local communities." Which looks and sounds like this.

    Continue reading
  • Boston Dynamics' latest robot is a warehouse workhorse
    When does this thing get to unionize?

    Robotics company Boston Dynamics is making one of its latest robots more generally commercially available: a mobile, autonomous arm called Stretch.

    Stretch is outfitted with a vacuum gripping arm able to move a wide variety of box types and sizes, up to 50 pounds (≈22.7kg). Its footprint is about that of a warehouse pallet, and it can move around on its own, which Boston Dynamics said makes it a good fit for companies trying to automate without building a whole new factory.

    "Stretch offers logistics providers an easier path to automation by working within existing warehouse spaces and operations, without requiring costly reconfiguration or investments in new fixed infrastructure," Boston Dynamics said this week.

    Continue reading
  • Japanese startup makes baby carrier-style sling for 'Love Robots'
    Fittings open on Saturday, to make it easier to take motorized pals with you wherever you go

    Japanese startup Groove X will on Saturday stage fittings for a wearable sling - somewhat akin to baby carriers - designed to let owners of "Love Robots" more easily carry the machines wherever they go.

    The robots in question are called LOVOTs – a name that combines the words Love and Robot to reflect the creations' intended role as an object of domestic affection for residents of Japan that fancy cuddling up to a furry machine. LOVOTs roll around on wheels and have a cylindrical object on their head containing a camera and other sensors.

    The fitting session will take place in the newly expanded LOVOT Studio – a store in downtown Tokyo that this week opened a space in which LOVOT owners can congregate, with their robots, to enjoy each other's company among like-minded friends.

    Continue reading

Biting the hand that feeds IT © 1998–2022