Who Needs Skynet? Robots Are Easily Hacked By Humans

We can’t talk about robots without thinking about robots running amok as in the Terminator movies.  But it turns out that most of the robots that are available today can be easily hacked by humans.

Robots are showing up in industrial settings, in hospitals, on our roads as autonomous vehicles, in secure facilities as guards, and in our homes, as carpet cleaners, children’s companions.  Soon they will be everywhere, assisting, working, moving goods, and providing a variety of services.

What are the security implications as we begin to use these systems?  Recent experience with IoT hacking and the interruptions to the Internet this has caused begs the question about the hackability of our robotic friends.

A recent study by IOActive found over 50 cybersecurity vulnerabilities, and their study was not an exhaustive security audit.  Some of the bigger issues were:

  • Insecure communications – Most robot systems communicate using the Internet, WiFi, and Bluetooth in clear text or with weak encryption.
  • Weak authentication and missing authorization – Authentication is the security principle that ensures that only authorized users can operate a system.  Many of todays robots require no passwords, or passwords can be bypassed, allowing unauthorized users to access controls and functions.
  • Weak encryption – Encryption keeps communication channels secure, and keeps store data private.  Most of the robots tested did not use encryption or used it improperly.
  • Privacy Concerns – Many of these systems are designed to interact with their human users, to learn our preferences and behaviors by observing, and serve as collection points with information about our preferences, previous purchases or activities, our location, what we read or watch.  With the poor authentication and encryption standards, this information is available to a savvy attacker.
  • Insecure defaults configurations – This includes offenses as open remote access, weak default user and password credentials, or passwords that could not be changed by the user.
  • Vulnerable operating systems and software – Many robots use the Robot Operating System (ROS), and this platform has a number of serious security deficiencies which make it trivial for an attacker to take over and modify the software.

So if robots are hackable, what is the end game of an attacker who was taking control of a robot?

  • Access to on-board microphones and cameras for surveillance.
  • Remotely control installed applications.
  • A compromised robot could allow access to other devices and information storage on the network.
  • This could be extended to allow access to cloud services and resources of the owner/user.
  • Physical access to the robot could allow connecting other devices to accessible ports such as USB ports.
  • Installing malicious software, firmware, and operating system modifications could allow an attacker to use the robot in unexpected ways that may be dangerous for the user.
  • Mobile and autonomous robots could be controlled in ways that would be hazardous to humans in proximity.

When your cable modem goes crazy and becomes part of a botnet it is not hazardous to  your health.  But what happens when your autonomous lawn robot gets hacked and starts chasing you or your kids around the yard?  Or someone hacks your autonomous vehicle while you are on the way to the office and uses it for a kidnap and extortion exploit?  Once again we see security being skipped in the rush to market.  Because of the close interaction between humans and robots, security really needs to be baked into the code before they are shipped to trusting, unsuspecting, and inexperienced non-technical users.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment