Industrial plant robots frequently connected to the 'net without authentication

Putting the ID in IoT


Industrial robots are frequently exposed to the internet, creating a security risk in the process, according to new research from Trend Micro.

Of the 83,000 robots researchers found exposed to the public internet, 5,000 had no authentication in place to guard against possible hack attacks.

A report by security researchers at Trend Micro and computer scientists at the Politecnico di Milano (POLIMI) in Italy highlights five attack types (such as altering the robot's state) which violate the three standard requirements of industrial robots: safety, integrity and accuracy.

For example, a hacker might be able to alter the control system so that the robot moves unexpectedly or inaccurately, at the attacker’s will.

The report (PDF) also uncovered 63 vulnerabilities in these systems.

"The software running on industrial robots is outdated; based on vulnerable OSs and libraries, sometimes relying on obsolete or cryptographic libraries; and have weak authentication systems with default, unchangeable credentials," the researchers report.

These flaws, if left unaddressed, create a mechanism for hackers to infiltrate, steal or disrupt industrial control plants. The scope of possible attacks include disrupting the operation of plants through to planting ransomware. Robots sometimes store sensitive data (eg, source code or information about production schedules and volumes) and this information might be snatched from vulnerable, internet-exposed systems.

Industrial robots are used in many aspects of manufacturing and beyond, from making cars to food production and packaging.

More details of the research are due to be published at the upcoming Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy in San Jose, USA, later this month.

Five years ago all this would have come as a nasty shock but these days the security shortcomings of industrial plants are likely to be viewed as a sub-set of the wider IoT problem.

Youtube Video

Mocana CTO Dean Weber commented: "The ease by which attackers can make their way into industrial systems underscores the need to secure devices at their core, by embedding defence in the hardware and firmware used to operate things like robotic arms.

"There is simply no way, as this report shows, to stop cybercriminals from finding ways into manufacturing plants and other industrial facilities via the Internet. There, are, however, ways to stop intruders from taking control of devices they find," he added. ®

Similar topics


Other stories you might like

  • Big Tech begs Congress to pass $52bn chip subsidies bill
    This silicon business ain't cheap, you know, say execs at Alphabet, Amazon, Microsoft, Nvidia etc

    Big Tech in America has had enough of Congress' inability to pass pending legislation that includes tens of billions of dollars in subsidies to boost semiconductor manufacturing and R&D in the country.

    In a letter [PDF] sent to Senate and House leaders Wednesday, the CEOs of Alphabet, Amazon, Dell, IBM, Microsoft, Salesforce, VMware, and dozens of other tech and tech-adjacent companies urged the two chambers of Congress to reach consensus on a long-stalled bill they believe will make the US more competitive against China and other countries.

    "The rest of the world is not waiting for the US to act. Our global competitors are investing in their industry, their workers, and their economies, and it is imperative that Congress act to enhance US competitiveness," said the letter.

    Continue reading
  • Intel withholds Ohio fab ceremony over US chip subsidies inaction
    $20b factory construction start date unchanged – but the x86 giant is not happy

    Intel has found a new way to voice its displeasure over Congress' inability to pass $52 billion in subsidies to expand US semiconductor manufacturing: withholding a planned groundbreaking ceremony for its $20 billion fab mega-site in Ohio that stands to benefit from the federal funding.

    The Wall Street Journal reported that Intel was tentatively scheduled to hold a groundbreaking ceremony for the Ohio manufacturing site with state and federal bigwigs on July 22. But, in an email seen by the newspaper, the x86 giant told officials Wednesday it was indefinitely delaying the festivities "due in part to uncertainty around" the stalled Creating Helpful Incentives to Produce Semiconductors (CHIPS) for America Act.

    That proposed law authorizes the aforementioned subsidies for Intel and others, and so its delay is holding back funding for the chipmakers.

    Continue reading
  • US to help Japan make leading-edge 2nm chips, possibly by 2025
    Player Four has entered the game

    Japan is reportedly hoping to join the ranks of countries producing leading-edge 2nm chips as soon as 2025, and it's working with the US to make such ambitions a reality.

    Nikkei reported Wednesday that businesses from both countries will jointly research the design and manufacturing of such components for devices ranging from smartphones to servers as part of a "bilateral chip technology partnership" between America and Japan.

    The report arrives less than a month after US and Japanese leaders said they would collaborate on next-generation semiconductors as part of broader agreement that also calls for "protecting and promoting critical technologies, including through the use of export controls."

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Ubuntu releases Core 22: Its IoT and edge distro
    A tougher nut to crack than the regular flavor, some will find it very tasty

    Canonical's Linux distro for edge devices and the Internet of Things, Ubuntu Core 22, is out.

    This is the fourth release of Ubuntu Core, and as you might guess from the version number, it's based on the current Long Term Support release of Ubuntu, version 22.04.

    Ubuntu Core is quite a different product from normal Ubuntu, even the text-only Ubuntu Server. Core has no conventional package manager, just Snap, and the OS itself is built from Snap packages. Snap installations and updates are transactional: this means that either they succeed completely, or the OS automatically rolls them back, leaving no trace except an entry in a log file.

    Continue reading
  • Chipmakers to spend record $109b on fab machines this year
    Factories hope to buy their way out of shortages – with Taiwan leading the pack

    If you've been ripping your hair out about the ongoing semiconductor shortage, you should know that chip manufacturers are at least trying to spend their way out of the problem at record levels.

    Chipmakers across the world are expected to increase spending on equipment for front-end manufacturing plants by 20 percent to an all-time high of $109 billion in 2022, according to the latest World Fab Forecast report from semiconductor industry group SEMI.

    To help illustrate how much money semiconductor companies are spending on fab equipment, consider the fact that they only handed over $55 billion for new kit in 2019, which means that the estimated investments this year represent a roughly 2x increase from three years ago.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading

Biting the hand that feeds IT © 1998–2022