Robots are increasingly common in the 21st Century, both on the factory floor and in the home, however it appears their security systems are anything but modern and high tech.
In March IOActive released partial research showing that hacking a variety of industrial and home robotics systems wasn't too difficult. Now, after vendors have been busy patching, they are showing how it is done and the potentially lethal consequences.
When it comes to causing serious damage, industrial robots have the biggest potential for harm. They're weighty beasts, with the ability to hit fleshy humans very hard if so programmed. The researchers found that with access to a factory network, these kinds of systems were trivially easy to hack.
For example, systems from Universal Robots were vulnerable in a variety of ways:
- A simple stack-based buffer overflow condition would allow new code to be written onto the robots' systems.
- A key part of the operating system had no authentication control on the robot's movements.
- Units had a static SSH host key that left them open to man-in-the-middle attack.
It's unlikely that anyone would be bonkers enough to hack this robot and try to harm people – they're static and you'd have to make them flail around like President Trump mocking a disabled reporter – but for the smart hacker there are a host of possibilities for these kinds of attacks.
For example, the Stuxnet malware managed to temporarily cripple Iran's nuclear centrifuges by messing with speed controls on the machinery and hiding this from controllers. Now imagine similar code in an arms factory instructing the robots to make tiny but important changes to their tasks that could cripple the end product – underboring the size of a tank barrel, for example.
Alternately a cunning hacker could have used these now-patched flaws to shut down a production floor. If they had shorted the stock of the target company, the ensuing loss of facilities and knock-on effects could prove very popular.
The spy inside your home
While the industrial side of things could prove expensive, it turns out that home robots also have major issues – particularly with the apps that control them. This allowed them to have a little fun making the UBTech Alpha 2 a bit stabby:
Admittedly that's not going to do anyone any harm unless they are immobilized and very thin-skinned – the robot's too clumsy and slow. But the Alpha 2 and similar house robots like SoftBank Robotics' Pepper and NAO designs are loaded with microphones and cameras that could allow a hacker full visual access to the owner's home.
The chief problems these types of robots had was a lack of code signing and protection, and some of the mobile apps that control the devices proved easy to either man-in-the-middle or alter to allow new remote access code to reside in the main app.
These little home spies could be used to stalk their owners' lives, tell a burglar if anyone's home, and possibly even open the front door for them if the machine has the dexterity. Given the expensive nature of the hardware, you'd have thought the manufacturers might have put a bit more thought into basic security measures. ®