Robots are showing up in industrial settings, in hospitals, on our roads as autonomous vehicles, in secure facilities as guards, and in our homes, as carpet cleaners, children’s companions. Soon they will be everywhere, assisting, working, moving goods, and providing a variety of services.
What are the security implications as we begin to use these systems? Recent experience with IoT hacking and the interruptions to the Internet this has caused begs the question about the hackability of our robotic friends.
A recent study by IOActive found over 50 cybersecurity vulnerabilities, and their study was not an exhaustive security audit. Some of the bigger issues were:
- Insecure communications – Most robot systems communicate using the Internet, WiFi, and Bluetooth in clear text or with weak encryption.
- Weak authentication and missing authorization – Authentication is the security principle that ensures that only authorized users can operate a system. Many of todays robots require no passwords, or passwords can be bypassed, allowing unauthorized users to access controls and functions.
- Weak encryption – Encryption keeps communication channels secure, and keeps store data private. Most of the robots tested did not use encryption or used it improperly.
- Privacy Concerns – Many of these systems are designed to interact with their human users, to learn our preferences and behaviors by observing, and serve as collection points with information about our preferences, previous purchases or activities, our location, what we read or watch. With the poor authentication and encryption standards, this information is available to a savvy attacker.
- Insecure defaults configurations – This includes offenses as open remote access, weak default user and password credentials, or passwords that could not be changed by the user.
- Vulnerable operating systems and software – Many robots use the Robot Operating System (ROS), and this platform has a number of serious security deficiencies which make it trivial for an attacker to take over and modify the software.
So if robots are hackable, what is the end game of an attacker who was taking control of a robot?
- Access to on-board microphones and cameras for surveillance.
- Remotely control installed applications.
- A compromised robot could allow access to other devices and information storage on the network.
- This could be extended to allow access to cloud services and resources of the owner/user.
- Physical access to the robot could allow connecting other devices to accessible ports such as USB ports.
- Installing malicious software, firmware, and operating system modifications could allow an attacker to use the robot in unexpected ways that may be dangerous for the user.
- Mobile and autonomous robots could be controlled in ways that would be hazardous to humans in proximity.
When your cable modem goes crazy and becomes part of a botnet it is not hazardous to your health. But what happens when your autonomous lawn robot gets hacked and starts chasing you or your kids around the yard? Or someone hacks your autonomous vehicle while you are on the way to the office and uses it for a kidnap and extortion exploit? Once again we see security being skipped in the rush to market. Because of the close interaction between humans and robots, security really needs to be baked into the code before they are shipped to trusting, unsuspecting, and inexperienced non-technical users.